NAVAL  POSTGRADUATE  SCHOOL 

Monterey,  California 


iaOJiSi 


MULTILEVEL  SECURITY 
IN  A 

LOCAL  AREA  NETWORK 


Debra  Ann  Straub 


March  1984 


ELECTS 
SEP  2  6  1964 


Thesis  Advisor: 


Norman  R.  Lyons 


Approved  for  public  release;  distribution  unlimited 


84-  09  17  071 


\vWv;frAr,Cv?‘>:Vl^>.t 


security  cu  Maine  avion  or  this  f  aoe  iwmr  b«i«  i»hho 


REPORT  DOCUMENTATION  PAGE 


READ  INSTRUCTIONS 
BEFORE  COMPLETING  FORM 


I.  RE^O^T  NUMill 


[a.  OOVT  ACCESSION  NO.] 


1.  RECIPIENT'S  CATALOG  NUMBER 


A.  TlTLt  (mul  t uMilUJ 

Multilevel  Security  in  a  Local  Area 
Network 


s.  type  or  report  a  period  covered 

Master's  Thesis 
March  1984 


A.  PERFORMING  ORG.  REPORT  NUMBER 


V.  AUTHOR!  «> 

Debra  Ann  Straub 


A.  CONTRACT  OR  GRANT  HUM 0 E Rf •) 


10.  PROGRAM  ELEMENT.  PROJECT,  TASK 
AREA  A  WORK  UNIT  NUMBERS 


t.  PERrORMING  ORGANISATION  NAME  ANO  ADDRESS 

Naval  Postgraduate  School 
Monterey,  California  9394-3 


H.  CONTROLLING  OmCt  NAME  ANO  AOONCSS 


Naval  Postgraduate  School 
Monterey,  California  93943 


It.  REPORT  DATE 

March  1 984 


t*.  NUMBER  or  PACES 

80 


U.  mAmiYoRING  AGENCY  NAME  a  AOORCSSfff  WHwmI  OS  CmiwrIIIrA  OffleJj 


IS.  SECURITY  CLASS,  (ol  thlm  nport) 

Unclassified 


I  la.  DECLASSIFICATION/  DOWNGRADING 

schedule 


ia.  Distribution  statement  a  mi*  Rapwij 

Approved  for  public  release;  distribution  unlimited 


IT.  OISTRII 


IT  (ml  Urn  N.«mI  nwN  In  AIMS  M,  II  miHrrnt I  Aw  RrpaKJ 


IS.  SUPPLEMENTARY  NOTES 


It.  KEY  WORDS  (CrKIrw  an  riwm  *1Wr  If  miwmw  anW  IMIf  *r  Mw«* 

WWMCCS  Information  System 


Multilevel  Security 
Trusted  Software 
Local  Area  Network 


M.  ABSTRACT  (Cmmllmtm  m  rmmmrmm  mlOt  If  n MHMi  wnW  ItfnHIfr  tp  Nut  wRw) 

■  This  thesis  examines  the  design  of  a  local  area  network  that 
is  able  to  simultaneously  handle  users  at  a  variety  of  security 
levels,  while  providing  full  multilevel  protection  of  the  data. 

A  major  feature  of  the  design  is  the  use  of  trusted  software  in 
the  network  interfaces  to  provide  security  for  data  entering  or 
leaving  the  network.  This  secure  design  was  initiated  to 
investigate  options  for  local  area  network  technology  that  coulcU 


00, 


jSn  1473 


COITION  OF  1  NOV  AS  IS  OS 
S/N  0101- LF- 014-4*01 


SLETE 

1 


SECURITY  CLASSIFICATION  OF  THIS  RAGE  OwfA  tonrw 


2  IKCUHITV  CLASSIFICATION  or  THIS  Om»  fcHwfl 


A BSTBACT 


This  thesis  examines  the  design  of  a  local  area  network 
that  is  able  to  simultaneously  handle  users  at  a  variety  of 
security  levels,  while  providing  full  multilevel  protection 
cf  the  data.  A  major  feature  of  the  design  is  the  use  of 
trusted  software  in  the  network  interfaces  tc  provide 
security  for  data  entering  or  leaving  the  network.  This 
secure  design  was  initiated  to  investigate  options  for  local 
area  network  technology  that  could  be  incorporated  into  the 
planned  near-term  upgrade  for  the  hhhccs  Information  System 
IDP  support. 


TABLE  OF  CONTENTS 


I.  INTBCDUCT  ION  . . 8 

II.  £  ICK  GROUN  D . 9 

III.  AECHITECT08AL  COMPONENTS . 11 

A.  SUBNETWORKS . 11 

B.  TRUSTED  INTERFACE  UNITS  (TIUS) . 11 

C.  ERIDGES  . 12 

D.  GATEWAYS . 13 

E.  GUARDS . 13 

IF.  CONCEPT . 17 

A.  SIMPLE  MULTILEVEL  LAN . 18 

B.  FULL  MULTILEVEL  LAN . 20 

V.  OPERATIONAL  ENVIRONMENT . 25 

A.  SINGLE** LEVEL  RESOURCE  SCENARIO . 26 

E.  VAR  I A  EL  E- LEV  EL  RESOURCE  SCENARIO . 28 

C.  MULTILEVEL  RESOURCE  SCENARIO . 30 

VI.  DESIGN  DETAILS  . . 32 

A.  LEVEL  OF  INTERCONNECTION . 35 

B.  ADDRESSING,  SECURITY  AND  ROUTING . 35 

C.  PROTOCOLS . 36 

1.  Low  Layer  Protocols . 38 

2.  High  Layer  Protocols . 42 

D.  TRUSTED  INTERFACE  UNIT  (TIU) . 46 

1.  Single-Level  TIU . 47 

2.  Variatle-Level  TIU . 54 

3.  Multilevel  TIU . 55 

E.  BRIDGES . 56 


S 

s 


5 


1.  Security  Processing . 59 

2.  Routing  concepts  . . 61 

3.  Buffering  .  . . 63 

4.  Half-Bridges . 64 

F.  FLOW  AND  CONGESTION  CONTROL . 65 

VII.  SUMMARY  .  . . 67 

A.  ADVANTAGES . 68 

E.  CIS  ADVANTAGES . 69 

C.  FURTHER  RECOMMENDATIONS  .  76 

D.  CONCLUSION . 77 

LIST  OF  REFERENCES . 78 

INITIAL  EISTRIBUTION  LIST  .  80 


6 


•j(i4aa  ic..>j  a  <■’«• 


LIST  OF  FI60BES 


3.1  Guard  on  the  Secure  LIN . 16 

4.1  Sirpie  Multilevel  LAN . 19 

4.2  Full  Hultilevel  LAN . 22 

5.1  Single- level  Resource  Scenario  .  27 

5.2  Variable-level  Resource  scenario  . . 29 

5.3  Multilevel  Resource  scenario . 31 

6.1  Local  Area  Network  Packet  Foraat . 39 

6.2  Trusted  Interface  Unit  (TIO)  Architecture  ...  48 

6.3  Bridge  Architecture  (Half-Duplex) . 58 

6.4  Fixed  Routing  Tables . 62 


7 


- - — m ThTMTtfTtfnt-Tf, nr ( r» r r<pn nnnr^  n  .Tf. — r r  - rT [T  ‘ “  "i ^ ^  r  ~  -  • 


I-  imo$fiCU2fi 


The  Department  of  Defense  (DoD)  is  currently  upgrading 
the  Hcrldwide  Military  Command  and  control  System  (HHMCCS) 
in  an  effort  to  evolve  the  existing  Automated  Data 
Processing  (ADP)  capabilities  into  a  new  hwmccs  Information 
System  (HIS). 

Plans  for  this  modernization  call  for  a  communications 
medium  that  vill  allow  terminals  to  communicate  with  both 
single- level  and  multilevel  secure  functional  resources  that 
would  be  required  at  a  HIS  site.  The  HHMCCS  System  Engineer 
has  proposed  that  the  medium  be  a  local  area  network  (LAN) 
[Bef-  1]-  Since  the  HIS  is  to  be  based  around  a  LAN,  and 
resources  of  different  levels  will  require  LAN  access,  the 
LAN  must  be  multilevel  secure  from  the  beginning.  However, 
a  "controlled  mode"  IAN  may  be  acceptable  initially. 

Sidhu  and  Gasser  [Ref.  23  have  designed  a  secure  LAN 
that  is  based  upon  the  "trusted  system"  concept.  This 
thesis  exams  their  design  option  for  a  secure  LAN  that  can 
be  incorporated  into  an  initial  scenario  to  provide  multi¬ 
level  security  for  HIS  sites. 


8 


II.  B1CKGBOOBD 


In  Sidhu  and  Gassers'  design  it  is  assumed  that  the 
communication  medium  is  as  well  protected  as  the  users'  jerk 
stations,  safes,  etc.  Therefore,  encryption  of  the  data  is 
not  a  requirement  except  where  the  medium  must  pass  through 
an  unprotected  zone,  such  as  between  buildings.  Their 
design  gcal  is  to  enforce  the  DoD  security  policy  (Hef.  3] 
with  respect  to  accessing  data  cn  the  communications  medium, 
while  enabling  a  wide  variety  of  resources  to  be  shared. 

The  constraints  cf  a  typical  WWHCCS  command  center  envi¬ 
ronment  motivated  the  design.  At  a  typical  WWHCCS  node  data 
processing  must  be  carried  out  at  multiple  security  levels, 
with  users  requiring  access  to  multiple  levels  of  data.  The 
cost  cf  certifying  and  accrediting  physical  facilities  for 
high  levels  of  security  dictates  that  not  all  facilities  may 
be  cleared  to  hold  classified  data.  Therefore,  an  example 
of  their  design  goal  is  to  sake  Secret  data  from  one  network 
(which  handles  data  up  to  the  Secret  level)  available  to  a 
Secret  subscriber  on  another  network  which  handles  data  up 
to  the  Tcp  Secret  level  (note  that  this  design  does  not  take 
into  acccunt  a  control  for  need-to-know)  .  Also,  the  design 
must  prevent  Top  Secret  data  from  spilling  (from  a  Top 
Secret  controlled  mcde  network)  into  a  Secret  controlled 
mode  network. 

The  key  to  sidhu  and  Gassers'  trusted  systems  approach 
is  the  use  of  trusted  interface  units  (TIUs)  that  govern 
secure  communication  between  subscribers  only  at  identical 
security  levels.  Outgoing  data  are  narked  by  the  TIG  with 
the  security  level  cf  its  attached  subscriber.  All  data 
coming  irto  a  subscriber  is  examined  by  the  TIG  to  ensure 
that  its  security  level  matches  that  of  the  attached 
subscriber. 


t  hat 


Anctker  aspect  cf  the  design  calls  for  bridges 
allow  data  to  be  shared  among  physically  separate  LANs.  For 
example,  the  bridges  would  govern  the  sharing  of  data 

between  a  Secret  controlled  mode  network  and  a  Top  Secret 
controlled  mode  network,  as  previously  described.  The 
bridge  is  configured  as  a  network  subscriber  whose  task  is 
to  relay  data  to  another  network,  which  also  acts  as  a 
network  subscriber.  iihile  relaying  data,  the  bridge  ensures 
that  no  data  shall  be  placed  on  a  network  that  is  not 
cleared  to  handle  the  security  level  of  the  data. 

The  SIS  modernization  pzogram  dictates  that  the  secure 
IAN  be  available  around  1985.  Another  design  goal  is  to 
implement  an  initial  secure  LAN  capability  within  this  time 
frame.  For  this  reascn,  Sidhu  and  Gasser  stress  a  near-term 
solution  in  great  detail,  with  progressively  less  detail 
provided  for  the  more  complex  longer  term  solutions. 

The  remainder  of  this  thesis  discusses  the  architectural 
components,  concept,  operational  environment  and  design 
details  cf  this  particular  approach  to  multilevel  security 
in  a  lccal  area  network. 


10 


III.  ABCHITECT0B1L  COHPOBENTS 


The  IAN  configuration  contains  the  following:  subnet¬ 
works  and  their  consmunica tions  media,  trusted  interface 
units,  bridges,  gateways  and  guards.  An  overview  cf  these 
components  follows. 

A.  SOBNETBGRKS 

A  subnetwork  is  a  part  of  the  LAN  that  fully  resides 
within  a  protected  environment  (an  area  physically  protected 
to  a  specified  system-high  security  level  that  corresponds 
to  a  portion  of  a  building,  whole  building  or  group  of 
buildings)  .  protected  environments  are  further  defined  by 
the  proximity  of  a  set  of  subscribers  which  operate  up  to  a 
given  security  level.  If  parts  of  a  subnetwork  passes 
through  an  unprotected  area,  then  it  is  assumed  that  encryp¬ 
tion  devices  will  be  used  that  can  handle  the  bandwidth  of 
the  subnetwork,  or  a  separate  subnetwork  cculd  be 
constructed  with  an  intervening  bridge.  It  is  assumed  that 
the  protected  environment  will  include  any  encrypted 
portions  of  the  medium. 


B.  TBOSTED  INTERFACE  OBITS  (TIOS) 

To  access  a  network  a  subscriber  connects  to  a  TIO  that 
places  the  proper  security  markings  on  all  data  entering  the 
IAN  from  the  subscriber,  and  in  return  provides  the 
subscriber  with  only  that  data  from  the  LAN  that  has  the 
proper  security  labels.  It  should  be  noted  that  subscribers 
attached  to  a  subnetwork  may  operate  at  any  security  level 
at  or  below  that  of  the  subnetwork  environment. 


r >vvvvv> 


Initially,  a  single-la vel  subnet work  has  been  proposed 
for  the  vast  majority  of  users  that  will  require  only  a 
single-level  environment  and  for  the  evolutionary  growth  of 
the  LAM  [Hef.  4:  p.  10].  Although  this  particular  single- 
level  (for  example.  Secret)  TIU  supports  a  single-level 
Secret  subscriber,  the  subnetwork  interface  within  the  TIU 
is  actually  multilevel  since  it  has  access  to  all  data  on 
the  subnetwork.  Therefore,  the  single-level  TIUs  are 
considered  trusted,  while  the  single-level  subscriber  need 
not  be. 

Variable-level  TIUs  support  subscribers  who  may  operate 
at  different  security  levels  at  different  times.  This 
particular  TIU  is  the  same  as  single-level  TIUs,  except  that 
their  security  level  may  change  over  time. 

For  multilevel  subscribers,  multilevel  TIUs  are 
required.  The  difference  between  a  multilevel  TIU  and  a 
variable-level  or  single-level  TIU  (in  terms  of  the  trusted 
mechanism  in  the  TIU)  are  discussed  further  in  chapter  VI. 

C.  BEIDGES 

The  subnetworks  comprising  the  LAN  are  themselves  local 
area  networks  that  are  connected  to  each  other  with  bridges 
[lef.  5s  p.  1497-1517].  The  bridges  therefore  provide  the 
links  between  subnetworks  at  the  same  or  different  security 
levels.  Bridges  mcst  be  trusted  to  prevent  packets  on  a 
higher  level  subnetwork  fro ■•entering  a  lower  security  level 
subnetwork,  if  those  packets  originated  with  a  subscriber 
operating  above  the  lower  level.  This  precaution  is  due  to 
the  fact  that  one  subnetwork  may  be  protected  to  a  lower 
security  level  than  another  subnetwork  to  which  it  is 
bridged. 


E.  G 1TEHA1S 


Cne  of  the  ultimate  goals  of  the  HIS  upgrade  is  to 
provide  HNHCCS  Intercomputer  Network  (WIN)  access  to  all  LAN 
subscribers  at  a  site  [Ref.  1],  therefore  necessitating  a 
gateway  connected  directly  to  the  LAN.  To  be  fully  useful, 
the  gateway  to  any  multilevel  network  (i.e.,  win.  Defense 
Data  Network  (DDN)  ,  cr  other  wide-area  networks)  must  itself 
be  multilevel  secure,  including  the  gateway's  interface  to 
the  LAN.  It  should  be  noted  that  sidhu  and  Gasser  focus 
only  on  the  LAN  problem  and  do  not  address  gateways  to  any 
detailed  extent. 


E.  GUARDS 

Also  employed  in  this  design  are  guard  nodes  that  allow 
information  to  move  from  one  security  level  to  another  in  a 
controlled  manner.  Generally,  a  guard  is  a  trusted  computer 
that  examines  output  from  a  single- level  computer  running  at 
a  "high"  security  level  and  transfers  that  data  to  another 
computer  or  subscriber  running  at  a  "low"  level  [Ref.  6], 
The  purpose  of  the  guard  is  to  allow  data  to  flow  from  high 
to  lew  if  that  data  is  actually  classified  at  the  lew  level 
tut  happens  to  reside  in  the  high  level  environment.  A 
guard  may  also  be  used  to  selectively  downgrade  output  from 
a  high  level  system.  In  erder  to  prevent  accidental  down¬ 
grading,  guards  may  examine  data  flowing  from  low  to  high 
for  "acceptable"  values.  An  example  of  the  use  of  a  guard 
is  where  there  is  a  need  for  a  Secret  user  to  access  Secret 
data  residing  in  a  Tcp  Secret  subnetwork.  In  this  case, 
guards  are  required  because  existing  mainframes  are  not 
trusted  for  multilevel  or  controlled  mode  operation. 
Existing  mainframes  must  run  at  the  level  of  the  most  sensi¬ 
tive  data  (single- level  system-high)  ,  even  though  the 
system-high  information  is  only  a  small  portion  of  the  total 


data.  Therefore  the  guard  provides  an  inexpensive  alterna¬ 
tive  tc  clearing  all  users  to  the  system-high  level  who  must 
access  such  data. 

A  guard  usually  operates  with  one  high  side  and  one  low 
side,  each  at  specific  fixed  levels.  The  guard  can  then  be 
easily  interfaced  tc  the  secure  LAN  by  the  use  of  two 
single-level  Tins,  cne  for  each  side.  Figure  3.1  illus¬ 
trates  one  particular  guard  system  that  could  be  used  on  a 
secure  LAN  [fief.  7:  p.  5].  Data  flowing  from  a  high  subnet¬ 
work  wculd  enter  the  guard  via  the  high  TIU  and  send  the 
downgraded  results  via  the  low  TIU  to  the  appropriate 
subscriber.  This  wculd  imply  that  the  guard  must  reside  on 
a  subnetwork  with  a  level  at  least  that  of  the  high  subnet¬ 
work.  The  guard  system  in  figure  3.1  is  logically  parti¬ 
tioned  into  guard  trusted  and  untrusted  functions.  The 
guard  trusted  functions  provide  the  capability  to  ensure  the 
secure  interchange  cf  information  across  security  bounda¬ 
ries.  The  guard  lew  and  high  untrusted  functions  support 
the  guard  trusted  information  flow  functions,  provide  appli¬ 
cation  system  specific  functions  that  are  not  security  rele¬ 
vant,  and  act  as  an  interface  between  the  guard  trusted 
processing  element  and  its  external  application  system 
envirennent . 

The  guard  system  consists  of  three  (3)  computer 
programs:  Guard  Trusted  Processing  (GTP)  element.  Guard  Low 
Processing  (GLP)  element,  and  the  Guard  High  Processing 
(GHP)  element.  The  GTP  element  provides  all  guard  trusted 
functions.  The  GLP  and  GHP  elements  provide  all  guard  low 
and  high  untrusted  funcions,  respectively. 

The  GLP  and  GHP  elements  are  functionally  symmetric  in 
that  each  acts  as  as  interface  between  the  GTP  and  its 
corresponding  external  application  system  environment  (low 
or  high).  The  GLP  and  GHP  each  consist  of  three  logical 
elements:  an  application  system  interface  that  interprets 


application  system  protocol;  a  guard  protocol  interface 
which  provides  a  secure  communications  path  between  guard 
entrusted  and  trusted  elements  in  support  of  the  guard 
information  flow  functions;  and  guard  untrusted 
application-specific  functions  which  are  not  security  rele¬ 
vant  and,  therefore  need  not  be  trusted.  Since  single- level 
110  interfaces  are  used  in  figure  3. 1,  the  guard  would  be 
treated  by  the  L AN  as  two  separate  single-level  subscribers. 
It  should  be  noted  that  another  option  would  be  to  use  a 
single  multilevel  TIC  for  the  guard. 

Sidhu  and  Gasser  have  assumed  that  existing  and  planned 
guards,  such  as  the  one  just  described,  will  function  on  the 
secure  LAN  with  little  or  no  modification,  other  than  that 
normally  required  to  interface  any  host  to  a  LAN. 


*  d 


IV.  CONCEPT 


There  are  two  major  areas  of  OoD  security  policy  which 
oust  be  addressed  when  considering  a  local  area  network 
security  architecture.  The  first  is  "user  separation". 
This  concept  refers  tc  the  ability  of  a  network  security 
design  tc  provide  segregated  communities  of  subscribers  such 
that  traffic  from  individual  communities  can  be  transmitted 
tc  authcrized  subscribers  in  those  communities  and  not 
disclosed  tc  subscribers  outside  those  communities.  That 
is,  seme  network  component  must  ensure  that  an  Unclassified 
subscriber  receives  cnly  Unclassified  information  over  the 
local  network.  The  enforcement  of  this  policy  provides 
protection  against  unauthorized  disclosure  to  authorized  but 
uncleared  subscribers  on  the  network. 

The  seccnd  policy  area  is  the  concept  of  "data  protec¬ 
tion".  This  refers  tc  the  ability  of  the  network  to  provide 
protection  against  malicious  attempts  to  access,  modify  or 
destroy  information  in  the  network.  This  includes 
subverting  authorized  network  components  and  attaching  unau¬ 
thorized  network  components.  In  order  to  enforce  this 
policy  two  approaches  may  by  used— encryption  (end-to-end) 
or  Protected  wireline  Distribution  System  (PWDS)  [Bef.  8]. 
A  PWES  provides  physical  protection  of  network  components 
including  the  transmission  medium,  whereas  encryption 
provides  protection  by  making  the  information 
unintelligible. 

Sidhu  and  Gasser  describe  their  overall  solution  concept 
in  two  stages--  from  the  simplest  LAN  to  the  most  complex 
LAN.  In  their  concept  it  can  be  seen  that  "user  separation" 
and  "fata  protection"  are  incorporated  by  means  of  subnet¬ 
works  and  encryption  cf  the  LAN  medium  itself. 


1.  SIMPLE  MULTILEVEL  LAM 


A  simple  multilevel  LAM  would  appear  as  in  figure  4.1 
[Hef.  2:  p.  5],  with  a  simple  LAM  communications  medium 
supporting  a  variety  of  resources  or  subscribers  (i.  e. , 
hosts,  terminals,  and  such  devices  as  printers  and  mass 
storage  units)  .  subscribers  may  operate  at  various  security 
levels,  but  communication  is  restricted  between  subscribers 
to  these  cf  the  same  level.  If  there  are  subscribers  of 
more  than  one  security  level,  then  only  designated  multi¬ 
level  bests  or  terminals  (trusted  to  protect  information  at 
several  classificat icn  levels)  would  be  able  to  ccmnunicate 
with  thes. 

Each  single-level  rescurce  will  be  protected  and 
contrclled  to  process  information  up  to  a  designated  maximum 
security  level  for  a  specific  resource,  just  as  it  is 
currently  dene  today.  All  information  from  a  single-level 
subscriber  that  enters  the  LAM,  will  be  protected  as  if  it 
were  at  that  level  and  will  not  be  transmitted  to  a  resource 
at  a  lower  security  level.  This  restriction  is  the  same  as 
that  imposed  today,  except  the  components  operating  at  the 
same  system-high  security  levels  may  be  interconnected.  The 
difference  for  the  LAM  is  that  the  separation  between  the 
security  levels  is  logical  rather  than  physical.  Multilevel 
resources  that  are  assigned  a  set  of  security  levels  at 
which  tfcey  are  allowed  to  operate  are  restricted  to  communi¬ 
cating  with  other  multilevel  or  single-level  resources 
withir  tbeir  range. 

The  LAM  itself  is  designed  to  be  a  passive  medium  such 
as  coaxial  cable  or  a  twisted  pair.  The  hey  architectural 
elements  of  the  LAM  are  the  trusted  interface  units  (TIUs)  . 
The  TIUs  will  maintain  separation  of  information  of 
different  levels,  with  one  TIU  associated  with  each 
subscriber  or  set  cf  subscribers  operating  at  a  given 


o 


HOST 


HOST 


HOST 


MULTILEVEL  LOCAL  AREA  NETWORK 


TOP  SECRET 


SECRET 


UNCLASSIFIED 


Figare  4.1  Sipple  Hultxlevel  LIN. 


security  level  or  range.  The  TIUs  perform  a  single 
security-related  function,  that  is,  to  label  each  packet  of 
cutgcing  (subscriber  to  the  IAN)  data  with  the  correct 
security  level  of  tke  subscriber  and  to  check  the  security 
labels  of  incoming  packets  and  compare  them  against  that  of 
the  subscriber.  For  the  case  of  a  single-level  subscriber, 
cnly  cne  level  is  allowed  and  therefore  all  security 
controls  (labelling  and  checking)  are  built  into  the  TIUs 
and  tke  subscribers  do  not  need  to  be  "trusted"  to  provide 
the  proper  security  labels.  However,  multilevel  subscribers 
are  trusted  to  specify  their  cwn  security  labels  within  a 
specified  range.  They  must  also  protect  incoming  data 
within  that  range  (the  TIUs  for  those  subscribers  will 
enforce  tke  correct  range)  . 


Since  there  is  nc  communication  across  the  security 
levels  it  figure  4.1#  the  logical  effect  of  the  LAN  is  that 
cf  separate  LANs.  This  architecture  provides  no  benefit 
over  physically  separate  LANs  that  do  not  require  the  use  of 
interface  UEits.  There  is  one  main  advantage  with  this 
structure  and  that  is  the  upgrading  capability  that  it  poss¬ 
esses.  If  the  architecture  shown  in  figure  4.1  is  used  as  a 
basis,  then  multilevel  operation  can  be  achieved  via  a 
series  cf  small  incremental  enhancements  as  development 
progresses.  Each  upgrade  can  be  accomplished  without 
discarding  any  existing  hardware  or  software  or  without 
impacting  the  operation  of  the  system. 

The  obvious  problem  with  the  architecture  of  figure  4.1 
concerns  physical  protection  requirements.  It  is  apparent 
that  the  entire  LAN  medium  and  all  the  TIUs  must  be 
protected  tc  systea-fcigh  since  all  components  will  contain 
system-high  information.  This  implies  that  all  hosts  and 
terminals  must  be  protected  to  system-high  (the  situation 
today)  which  is  not  practical.  Keeping  in  mind  that  the 
subscriber-TIU  interfaces  usually  consist  of  relatively 
short  cables,  the  problem  that  arises  is  how  to  connect  an 
unprotected  subscriber  to  its  TIO  where  the  TIU  and  LAN 
medium  must  reside  in  a  highly  protected  area. 

The  solution  concept  presented  so  far  ignores  very 
sericus  physical  constraints  on  how  users  and  hardware  are 
protected  in  a  secure  environment.  Therefore,  a  more  flex¬ 
ible  scluticn  is  required. 

B.  POLL  H01TILEVEL  Ill 

Figure  4.2  ( Bef.  2:  p.  9]  illustrates  a  full  multilevel 
LAN .  Tke  concept  is  to  provide  a  separate  physical  sub-LAN 
(subnetwork)  for  each  community  with  different  security 
protecticn  requirements.  Each  subnetwork  is  itself  a  simple 


Multilevel  IAN  as  depicted  in  figure  4. 1.  This  is  accent* 
plished  through  the  tse  of  bridges  constructed  as  interfaces 
between  subnetworks.  The  bridges  act  as  filters  for  classi¬ 
fied  packets  of  data  addressed  across  subnetwork  boundaries. 

Although  each  subnetwork  has  a  maximum  security  level 
associated  with  it,  subnetworks  provide  full  multilevel 
protection  for  all  levels  below  their  maximum.  Individual 
users  may  operate  at  levels  below  the  subnetwork  maximum, 
while  maintaining  the  same  restriction  that  only  subscribers 
of  the  same  levels  can  communicate.  It  is  not  the  intention 
cf  this  design  tc  previde  a  subnetwork  for  every  combination 
of  specific  security  level  and  compartment  utilized  at  a 
swaccs  site.  Th9  intent  is  just  for  one  subnetwork  for  each 
envirenment  that  is  separately  physically  protected  to  a 
given  system-high  level. 

To  clarify  this  concept,  consider  host  A  in  figure  4.2. 
It  is  physically  protected  to  the  Secret  level  and  it  may 
run  at  tbe  Unclassified  level,  wherein  it  can  communicate 
with  host  B  on  the  Unclassified  subnetwork.  In  erder  for 
host  A  to  run  Unclassified  it  must  be  appropriately  sani¬ 
tized  and  must  have  no  connections  to  any  secret  devices 
ether  than  the  TIU  to  the  subnetwork.  Host  C  illustrates  a 
subscriber  in  an  Unclassified  environment  connected  to  a  Top 
Secret  subnetwork.  Because  the  TIU  for  host  C  must  be 
protected  to  Top  secret  in  order  to  remain  trusted,  it  is 
the  only  component  for  host  C  that  needs  to  be  within  the 
Top  secret  environment.  Host  0  in  the  Confidential  environ¬ 
ment  is  configured  as  a  remote  from  the  Secret  subnetwork  to 
which  it  connects.  Here  again,  the  TIU  for  host  D  provides 
the  isolation  of  the  host  from  data  on  the  subnetwork  above 
the  Confidential  level. 

Figure  4.2  only  illustrates  a  subnetwork's  maximum 
level,  however  the  ccncept  of  a  subnetwork's  minimum  level 
may  also  apply.  A  minimum  level  is  enforced  in  the  sane 


Figure  4.2  Fall  Hultilevel  Lis. 

■anner  as  a  maximum  subnetwork  level.  A  minimum  level  is 


Fcr  exaaple,  if  it  is  known  that  a  certain  subnetwork 
has  a  ainiaua  of  secret,  then  interfaces  to  the  subnetwork 
(bridges  and  TIOs)  wculd  assuae  that  all  data  are  at  least 
Secret  and  will  not,  or  will  autoaatically  upgrade  any  data 
labelled  at  a  lower  level.  A  ainiaua  level  does  net  liait 
the  actual  ainiaua  level  of  data  that  users  can  transait. 
It  only  liaits  the  labels  that  can  be  placed  on  the  data  by 
the  network  coaponents,  and  therefore  it  liaits  the  destina¬ 
tion  of  the  data.  Actually,  the  ainiaua  level  of  a  subnet¬ 
work  wculd  be  greater  than  Unclassified  only  if  the  various 
devices  protecting  the  data  were  not  trusted  (administra¬ 
tively)  tc  provide  the  required  protection. 

Fcr  exaaple,  if  part  of  a  IAN  contained  highly  sensitive 
data  which  the  TIOs  and  bridges  were  unable  to  adequately 
protect,  then  that  section  of  the  LAN  subnetwork  could  be 
isolated  and  its  use  United  to  subscribers  operating  at  the 
approprate  security  levels.  Users  would  be  able  to  operate 
at  all  levels  on  the  subnetwork,  and  be  able  to  coaaunicate 
via  a  bridge  to  other  parts  of  the  LAN.  However,  no  data 
leaving  the  subnetwerk  could  be  labelled  at  a  level  below 
the  ainiaua  level  of  the  subnetwork.  If  a  TIU  on  the 
subnetwork  were  conpzonised,  the  TIOs  and  bridges  that 
comprise  the  rest  of  the  LAN  will  prevent  any  data  origi¬ 
nating  from  the  subnetwork  froa  travelling  to  a  subscriber, 
elsewhere  cn  the  LAN,  that  is  not  cleared  to  the  appropriate 
level,  or  from  arriving  on  another  subnetwerk  of  a  lower 
level.  One  point  should  be  explained  concerning  this  last 
stateaent.  If  the  TIOs  on  the  subnetwork  are  not  trusted  to 
avoid  downgrading  the  inforaation,  why  should  the  bridges  or 
TIOs  on  the  rest  of  the  LAN  be  trusted  not  to  do  the  sane? 
They  shouldn't.  The  lack  of  trust  of  the  devices  on  the 
subnetwerk  refers  to  the  type  of  environaent  the  subnetwork 
is  located  in  and  the  possibility  of  a  lack  of  coaplete 
trust  in  the  aultilevel  resources  on  that  subnetwork.  An 


example  of  this  reasoning  is  a  subnetwork  running  in  a 
controlled  mode  where  data  are  labelled  by  partially  trusted 
multilevel  hosts  up  through  lop  secret,  but  where  the  users 
cf  the  subnetwork  have  a  minimum  clearance  of  Secret.  The 
multilevel  host  is  trusted  cnly  to  distinguish  between 
Secret  and  Top  Secret. 

Ncte  that  in  figure  4.  2  encryption  plays  an  important 
role.  Eetween  the  secret  and  Confidential  subnetworks  and 
the  Secret  and  Top  Secret  subnetworks,  the  encryption 
involves  a  simple  serial  bit  stream  that  is  link  encrypted. 

Between  the  two  Tcp  Secret  subnetworks,  the  LAN  itself 
is  designed  to  be  encrypted.  so  far,  the  complexities  of 
encrypting  a  LAN  medium  have  not  been  studied  ir.  detail. 
But  this  should  not  have  a  great  impact  on  Sidhu  and 
Gassers'  design,  since  it  does  not  depend  on  the  ability  to 
encrypt  the  LAN  medium  directly  (the  two  portions  could  be 
physically  separate  subnetworks  connected  by  bridges). 
However,  encryption  cf  the  medium  is  attractive  because  it 
could  linimize  the  number  of  separate  subnetworks  that  would 
be  employed  at  a  given  site. 


V.  CEEBATIOHil  ENVIRONMENT 


lbe  goals  for  the  fully  operational  configuration  of  the 
secure  LAN,  according  to  Sidhu  and  Gasser,  are  that  it  be 
able  to  maintain  separation  between  classified  data  and 
users  that  are  not  cleared  to  see  that  data,  and  that  it 
give  appropriately  cleared  users  access  to  data  which  may 
have  different  classifications.  This  means  that  the  infor¬ 
mation  must  be  maintained  by  classification  in  the 
computer  (s)  and  that  the  information  be  controlled  by  clas¬ 
sification  from  the  computer  to  the  user.  Therefore,  the 
mature  configuration  of  the  secure  LAN  must  be  able  to 
support  multilevel  computers,  multilevel  networks,  and 
multilevel  terminals. 

Full  multilevel  operation  of  resources  at  a  HIS  site 
will  not  be  achieved  in  the  immediate  future,  no  matter  what 
the  multilevel  capabilities  of  the  LAN.  Therefore,  to  limit 
the  risk  of  constructing  a  LAN  to  support  full  multilevel 
resources  from  the  beginning,  most  resources  in  the  initial 
installations  will  be  single-level.  In  chapter  IV  the 
incremental  enhancement  of  a  secure  LAN  from  the  simple 
version  of  figure  4.  1  to  the  multiple  version  of  figure  4.2 
was  introduced.  This  progressive  enhancement  was  designed 
to  compensate  for  physical  security  installation  constraints 
at  a  HIS  site.  From  here  on  the  LAN  will  be  addressed  as  if 
it  consisted  of  multiple  subnetworks,  with  the  understanding 
that  the  single-subnetwork  version  will  be  an  initial  capa¬ 
bility  fully  compatible  with  the  final  structure. 

Sidhu  and  Gasser  have  provided  a  series  of  "scenarios" 
that  provide  successively  mere  flexible  and  improved  multi¬ 
level  secure  processing  capability.  The  three  scenarios, 
which  are  centered  around  the  three  versions  of  the  TIU 


25 


discussed  in  chapter  III,  enable  capability  to  start  with 
the  existing  single-level  eguipmant  and  grow  to  a  fully 
nature  multilevel  secure  configuration.  The  first  scenario 
documented  in  this  thesis  is  expected  to  be  operational 
around  1S85  or  1986.  The  functions  in  the  second  and  third 
scenarios  are  to  be  achieved  via  evolutionary  growth.  All 
of  the  scenarios  are  illustrated  with  multiple  subnetworks, 
yet  any  of  these  scenarios  can  operate  with  either  the 
single  or  multiple  subnetwork  versions  of  the  secure  LAN. 

1.  SINGLE-LEVEL  RESOURCE  SCENARIO 

In  this  scenario  it  is  assumed  that  all  of  the  resources 
are  untrusted  and  therefore  single- level.  Single-level  TItJs 
are  designed  and  trusted  to  ensure  that  data  to  and  from  a 
particular  resource  always  have  the  proper  label  of  the 
level  cf  that  resource.  In  this  configuration  only  bridges 
will  transmit  data  of  more  than  one  security  level. 

Figure  5.1  [Ref.  2:  p.  23]  depicts  the  single- lev®’, 
resource  scenario:  a  LAN  consisting  of  Top  secret  and 

Secret  subnetworks,  supporting  single-level  hosts  and 
single-level  terminals.  The  security  level  of  each  subnet¬ 
work  is  the  maximum  level  of  any  of  the  single-level 
subscribers  on  the  subnetwork,  and  therefore  the  maximum 
level  that  packets  will  be  labelled  on  the  subnetwork.  In 
figure  5.1,  the  Confidential  terminal  (third  from  the  left) 
is  able  tc  access  the  Confidential  host  computer  (lower 
right),  the  Secret  terminals  can  access  the  Secret  host 
computer,  and  the  Icp  Secret  terminals  can  access  the  Top 
Secret  computer.  The  bridge  joining  the  Top  Secret  subnet¬ 
work  and  the  Secret  subnetwork  assures  that  only  packets  of 
a  level  of  secret  or  kelcw  are  present  on  the  secret  subnet¬ 
work.  The  bridge  also  allows  all  packets  to  pass  from  the 
Secret  subnetwork  (destined  for  the  Top  secret  subnetwork) 


M 


GUARD 

MOST 

TS  S 


TS  SUBNETWORK 


S  SUBNETWORK 


figure  S.1  Single -level  Resource  Scenario. 


ensuring  that  their  labels  are  no  higher  than  Secret,  but  it 
does  not  allow  lop  Secret  packets  to  pass  from  the  lop 
Secret  subnetwork  to  the  Secret  subnetwork.  The  Top  Secret 
subnetwork  nay  also  contain  Secret  or  Confidential  packets 
in  addition  to  Top  .Secret  packets  that  originated  froa  the 
Secret  host  or  Confidential  terminal.  Note  that  Secret 
packets  nay  contain  data  below  the  level  of  Secret  but 
cannot  be  sc  narked  if  the  single-level  resource  from  which 
it  originated  cannot  be  trusted  to  naintain  the  separation 
and  labelling.  In  the  remainder  of  this  thesis  there  may  be 
reference  to  the  "level”  of  a  packet  as  being  equivalent  to 
the  value  cf  some  security  label  on  the  packet  which  is  not 
necessarily  the  same  as  the  level  the  user  ascribes  tc  the 
data . 


In  figure  5.1  ncte  the  connection  of  Confidential  and 
Secret  terminals  and  the  Secret  host  to  the  Top  Secrer 
subnetwork.  If  the  Secret  and  Confidential  terminals  and 
Secret  host  are  connected  to  their  TIUs  via  a  short  cable, 
then  there  may  be  a  problem  concerning  different  physical 
protection  requirements  where  the  subscriber,  TIU  and 
subnetwork  are  concerned  (since  the  TIUs  connected  to  the 
Top  Secret  subnetwork  must  all  be  protected  to  the  Top 
Secret  level). 

B.  V IB I ABLE-LEVEL  B1SOUBCE  SCEHABIO 

This  scenario,  which  is  depicted  in  figure  5.2  [Bef.  2: 
p.  25],  permits  the  sharing  cf  data  by  users  at  mere  than 
one  security  level.  This  is  due  to  the  introduction  of 
variable-level  trusted  interface  units  that  allow  a  terminal 
user  to  talk  to  single-level  resources  at  different  levels 
up  to  and  including  his  terminals*  classification.  The 
interface  units  are  trusted  to  the  extent  that  they  restrict 
the  user  to  one  level  at  a  time  since  the  interfacing 
terminal  would  not  be  trusted  to  simultaneously  handle 
mltilevel  data.  However,  through  the  use  of  switching 
mechanises,  the  level  of  the  terminal,  and  therefore  of  the 
TIU,  may  change  under  user  control  in  a  static  manner.  For 
example,  figure  5.2  shows  two  variable-level  TIUs  on  the  Top 
Secret  network.  A  subscriber  at  the  "C-TS"  terminal  could 
communicate  with  either  the  Confidential,  Secret  or  Top 
Secret  hests  on  either  subnetwork  through  his  variable-level 
TIU. 

A  variable-level  TIU  can  be  constructed  that  would  werk 
with  a  multiple  position  switch  to  connect  a  user's  terminal 
to  one  security  level  or  another.  However,  there  could  be  a 
problem  in  that  a  user  would  lose  any  context  that  he  previ¬ 
ously  had.  Findirgs  concerning  the  LSI  Guard  system 


u 


GUARD 

HOST 


SINGLE  LEVEL  TIU 


VARIABLE  LEVEL 


figure  5.2  Variable-level  Be source  scenario. 


[Bef.  7:  p.  4-16],  which  allows  a  two-level  switching  capa¬ 
bility,  are  such  that  there  will  be  a  loss  of  context  that 
will  prove  to  be  extremely  annoying  to  an  operational  user, 
the  variable-level  TIU  does  not  solve  this  problee  but  dees 
provide  a  more  enhanced  capability  that  would  not  be 
achieved  with  a  single-level  TIU. 

The  variable-level  TIU  permits  a  highly  classified  user 
to  share  lewer  classified  resources  with  users  who  are  oper¬ 
ating  out  cf  a  lowez  classified  area  without  requiring  a 
separate  terminal  fer  the  lower  classified  resources.  An 
example  of  this  would  be  intelligence  users  accessing 
unclassified  or  Secret  data  maintained  by  logistics 
personnel.  The  shared  database  would  run  at  the  Secret 


level,  and  could  be  physically  located  on  either  the  Top 
Secret  or  secret  subnetwork.  cross-level  transfer  of  data, 
however,  would  be  prohibited. 

A  variable- level  110  cculd  also  be  used  to  interface  a 
LAN  tc  a  host  that  operates  at  different  levels  at  different 
times  (through  periods  processing). 

C.  HOLTILB VEL  BBSOUBCE  SCENARIO 

figure  5.3  (  Bef •  2:  p.  26]  illustrates  the  fully  opera¬ 
tional  capability  of  the  proposed  LAN.  A  user  with  a 
terminal  capable  of  maintaining  the  separation  of  data  would 
be  connected  to  the  LAN  via  a  multilevel  TIU  in  order  to 
view  and  modify  data  of  different  levels  simultaneously  in 
connection  with  terminals  that  have  screens  or  windows  for 
each  security  level.  The  terminal  and  the  multilevel  TIlJ 
coordinate  the  security  level  of  each  data  transfer.  Also, 
the  multilevel  TIOs  would  allow  multilevel  hosts  to  "simul¬ 
taneously"  communicate  with  various  single-level  or  multi¬ 
level  ternirals  and  hosts. 


1 1-  S1SISS  detail 


Ibis  chapter  provides  the  details  of  the  design  of  a 
multilevel  secure  local  area  ccmputer  network  for  WIS.  The 
design  was  approached  with  the  basic  requirement  that  the 
LAN  allcw  transaissicn  of  data  at  different  security  levels 
tut  with  appropriate  protection  of  data  at  each  security 
level.  This  requirement  was  further  integrated  with  other 
requirements  such  as  near-term  low-risk  feasibility  of 
implementation  and  incremental  upgrade  capabilities. 

The  full  LAN  architecture  depicted  in  figure  4.2 
consists  cf  several  physically  separated  subnetworks.  Sidhu 
and  Gasser  have  attempted  to  maintain  the  logical  view  as 
that  of  a  single  local  area  network  with  the  underlying 
substructure  being  totally  transparent  to  the  users.  The 
subnetworks  comprising  the  LAN  are  themselves  local  area 
networks  connected  to  each  ether  with  bridges.  The  bridge, 
in  this  architecture,  is  somewhat  similar  to  a  gateway  in 
the  interconnect ion  cf  wide-area  packet-switched  networks, 
but  it  is  expected  tc  be  much  simpler.  Even  though  a  bridge 
is  simpler  than  a  gateway,  it  is  more  complex  than  a 
repeater  that  might  be  used  to  boost  signals  in  an  Ethernet 
[Ref.  9].  A  bridge  accepts  packets  from  one  network  and 
broadcasts  it  onto  tte  medium  of  one  of  the  other  local  area 
retwczks  tc  which  it  is  connected.  The  LAN  design  under 
review  has  been  simplified  such  that  the  bridge  connects 
just  two  local  area  networks  to  each  other.  A  possible 
upgrade  option  *ould  be  the  connection  of  several  subnet¬ 
works  to  a  single  bridge.  A  brief  summary  follows  before 
proceeding  with  the  detailed  design  work. 


Each  subnetwork  has  a  security  level  associated  with  it 
which  is  the  level  of  the  protected  environment  in  which  it 
physically  resides.  Each  subnetwork  will  only  carry  infcr- 
aation  with  a  security  level  equal  to,  or  less  than,  the 
security  level  cf  the  subnetwork.  It  may  also  have  a 
ainimua  level  that  is  the  ainivua  level  at  which  data  in  the 
subnetwork  will  be  labelled.  The  bridges  and  trusted  inter¬ 
face  units  will  enforce  the  ainina  and  maxima.  Data  passing 
through  an  unprotected  environment  must  be  encrypted  to 
provide  protection  against  passive  wiretapping. 

The  local  area  network  shown  in  figure  4.2  has  the 
following  additional  benefits  besides  aeeting  the  basic 
security  related  requirements: 

a.  It  will  allcw  reconfiguration  with  ainiaal  disrup¬ 
tion  of  service  within  a  fixed  security  environaent. 

b.  It  will  allow  user  separation  by  coaaunities  of 
interest  and  information  flow,  as  well  as  by  security 
levels. 

c.  It  will  allcw  for  data  security  by  physical  separa¬ 
tion  of  data  flew. 

d.  By  limiting  the  effect  of  failures  and  denial-of- 
service  attacks  to  a  single  subnetwork,  it  will  enhance 
reliability. 

To  begin  a  look  at  the  detailed  design  work,  a  specific 
set  cf  LAM  protocols  must  be  examined.  Host  of  the  protocol 
issues  in  this  design  center  around  the  access  methods  used 
by  TIOs  tc  interface  to  the  LAN  medium.  For  this  access 
protocol,  the  authors  chose  a  basic  contention-type  protocol 
similar  to  the  " carrier- sen se  multiple  access  with  collision 
detection"  (CSMA/CD)  protocols  that  are  currently  being  used 
in  lccal  area  networks  such  as  Ethernet  [Bef.  10:  p. 
395-404].  They  have  further  incorporated  the  relevant 
features  of  the  CSHA/CD  access  method  of  the  proposed  IEEE 
602  standard  for  local  area  networks  [Bef.  11]. 


33 


Sidhu  and  Gassers'  reason  for  choosing  CSMA/CD  is  to 
show  how  the  secure  IAN  architecture  could  be  implemented 
using  at  least  one  well-specified  and  currently  implemented 
protocol  (even  though  the  IEEE  version  of  CSMA/CD  is  now 
only  a  proposal,  they  felt  the  Ethernet  protocol  is  suffi¬ 
ciently  similar  to  be  considered  a  representative  implemen¬ 
tation).  The  architecture  ir.  figure  4.2  does  not  depend  on 
CSHA/CD  or  any  other  specific  protocol.  To  go  beyond  the 
superficial  level  of  detail  of  figure  4.2,  however,  a 
specific  protocol  must  be  chosen  around  which  to  base 
further  design.  The  authors  do  not  preclude  the  use  of 
ether  protocols  to  build  a  secure  LAN,  but  the  use  of  a 
protocol  substantially  different  from  CSMA/CD  could  possibly 
require  significant  changes  to  much  of  the  design  detail  to 
follow. 

It  should  be  noted  and  stressed  that,  while  slightly 
different  versions  of  CSMA/CD  could  be  used  in  the  various 
subnetworks  with  minimal  impact,  the  concept  is  not  suitable 
for  interconnection  cf  CSMA/CD  subnetworks  with  subnetworks 
using  ncn-ccntention  type  protocols  such  as  switched  line, 
token  passing  rings,  etc.  If  subnetworks  based  on  nen- 
contenticn  technology  were  included  it  would  probably  add 
considerable  complexity  to  the  protocol  architecture, 
particularly  in  the  bridges  which  must  deal  with  protocol 
conversion.  However,  a  different  design  could  be  used  based 
entirely  on  non-contention  protocols. 

The  authors  point  out  three  features  of  their  architec¬ 
ture  that  are  not  yet  commonly  employed  in  existing  commer¬ 
cial  LANs: 

(1)  The  use  of  bridges  to  connect  subnetworks  (a  few 
commercial  offerings  have  recently  emerged  in  this 
area)  . 

(2)  Trusted  hardware  and  software  in  an  interface  unit 
and  bridge. 


V 


(3)  The  labelling  of  packets  according  to  a  security 
level. 

for  the  single-level  resource  scenario  (1985-86  time  frame)  , 
the  first  two  features  will  be  shown  to  be  rather  straight¬ 
forward  to  implement  with  only  a  small  change  to  existing 
components  while  tie  last  feature  is  moderately  mere 
complex.  Subsequent  evolution  will  require  further  develop¬ 
ment  in  all  three  areas. 

The  remainder  cf  this  chapter  will  discuss  briefly 
certain  considerations  such  as  the  level  of  interconnection 
cf  subnetworks,  addressing,  security  and  routing.  Details 
of  the  design  for  the  LAN  protocols,  interface  units, 
bridges,  and  flow  and  congestion  control  will  then  be 
presented. 

1.  IEVE1  Of  IHT EBCOllECTIOl 

Cne  important  issue  in  designing  the  bridges  (used  to 
interconnect  subnetworks)  is  the  protocol  layer  at  which 
subnetworks  are  to  be  connected  (Ref.  12:  p.  1386-1407]  and 
(Ref.  13s  pp.  175-195].  A  bridge  can  play  the  role  as  an 
interface  unit  or  as  a  host.  Since  the  authors  are  assuming 
a  common  LAN  technology  (suitable  broadcast  medium)  with 
identical  protocols  isplemented  in  all  the  subnetworks,  the 
most  natural  choice  cf  network  interconnection  is  at  the 
interface  unit  layer.  This  would  in  turn  imply  that  the 
bridge  does  not  implement  a  protocol  lying  at  a  layer  higher 
than  the  protocols  ixplemented  in  the  interface  units. 

E.  ADDRESSING*  SECURITY  AID  ROOTING 

A  twc-level  hierarchical  addressing  scheme  is  specified 
for  addressing  subscribers  in  the  LAN.  Therefore  an  address 
cf  a  subscriber  will  have  two  parts:  the  first  part  identi¬ 
fies  a  particular  subnetwork,  and  the  second  part  gives  the 


9« 


address  cf  the  subscriber  cn  the  subnetwork.  All  routing 
information  will  be  stored  in  the  bridges  for  data  going 
across  several  subnetworks  (tbis  is  due  to  the  fact  -chat 
information  must  be  available  to  direct  the  data  to  the 
desired  destination  along  seme  optimal  path). 

Addressing  and  routing  both  have  implications  for  data 
security.  The  sender  TIU  inserts  the  destination  address 
and  security  level  cf  the  data  in  the  header  part  of  the 
packet.  The  TIO,  whether  single-level,  variable- level,  or 
tultilevel,  is  trusted  to  assign  the  correct  security  level 
cf  the  subscriber  to  the  packet.  A  data  packet  en  route  may 
pass  threugh  one  or  more  bridges.  Each  bridge  must  decide 
if  the  packet  should  he  broadcast  on  the  second  subnetwork. 
At  least  part  of  the  routing  mechanism  of  the  bridges  must 
be  trusted  since  a  packet  of  a  given  security  level  must  not 
appear  cn  a  subnetwork  of  a  lower  security  level.  The 
receiving  TIO  is  trusted  tc  pass  the  data  to  its  receiver 
only  if  the  receiver's  security  level  is  greater  than  or 
egual  to  the  security  level  of  the  packet. 

The  hierarchical  addressing  scheme  and  the  use  cf  a 
security  field  in  the  packet  have  a  definite  effect  on  the 
protocols  of  the  LAN  and  the  hardware  and  software  that  will 
support  those  protocols. 

C.  PBCTCCOLS 

In  erdez  for  the  IAN  of  figure  4.2  to  perform  its  commu¬ 
nication  service,  coamunica ticn  protocols  implemented  in  the 
TIOs  and  bridges  must  perform  a  variety  of  basic  functions. 
Since  security  and  bridges  have  been  added  to  the  "usual" 
structure  cf  a  LAN,  the  effect  they  will  have  on  protocols 
must  be  considered. 


The  protocols  have  been  arbitrarily  divided  into  two 
groups:  low  layer  and  high  layer.  The  protocols  in  the  low 
layer  group  perform  functions  of  layer  1,2  and  3  protocols 
in  the  ISO  Reference  Model  [  Bef .  14:  pp.  81-118],  For 
example,  they  provide  procedures  for  transporting  packets 
from  a  sender  to  receiver  within  the  LAN.  Note  that 
protocol  "layers”  is  used  instead  of  "levels”  simply  to 
avoid  confusion  with  security  "levels".  The  layer  1 
protocol  is  the  physical  layer  protocol  and  specifies  char¬ 
acteristics  such  as  voltages,  timing,  data  encoding  and 
decoding,  etc.,  for  the  transmission  medium. 

The  layer  2  protocol  (link  protocol)  specifies  how  two 
physically  connected  devices  (e.g.,  host-TIU  or  1IU-TIU) 
communicate.  For  our  LAN  the  layer  2  protocol  is  the 
TIO-LAN  access  protoccl,  implemented  in  the  interface  units, 
that  allcws  interface  units  (and  bridges)  to  communicate. 
The  design  of  the  layer  2  protocol  is  based  cn  the  proposed 
IEEE  standard  802  CSMA/CD  protocol.  This  version  of  CSMA/CD 
provides  a  broadcast  capability  and  implements  collision 
detection  due  to  simultaneous  transmissions,  and  retransmis¬ 
sions  when  the  medium  is  not  in  use.  It  also  retransmits 
when  the  receiver  dees  net  receive  an  acknowledgement. 
Since  a  packet  that  is  successfully  transmitted  and  deliv¬ 
ered  may  still  .  be  discarded  on  detection  of  a  transmission 
error,  the  service  picvided  by  this  protocol  is  like  a  data¬ 
gram  service  (e.g.,  there  is  no  assurance  that  correct  data 
will  be  delivered  to  the  receiver  (s) ) .  Therefore,  a  frame 
check  sequence  field  in  the  CSMA/CD  link  layer  protocol  is 
used  to  detect  a  damaged  packet  so  that  the  packet  is 
assured  correct  if  received. 

The  layer  3  protocol  is  the  network  layer  protocol.  It 
provides  a  means  fer  data  delivery  across  networks  or 
subnetworks.  The  layer  3  protocol  is  usually  nonexistent 
for  single-network  LANs  (or  else  it  is  merged  with  layer  2) 

37 


.V-VJV 


since  there  is  no  cognizance  of  a  "network”  as  separate  from 
the  interface  units  themselves.  However,  this  layer  may 
include  a  sublayer  function  to  provide  transmission  of 
packets  through  an  interconnected  system  of  computer 
networks.  Most  of  this  design  involves  only  the  layer  2 
CSMA/CD  protocol  where  the  intersubnetworking  function  is 
subsumed  in  CSMA/CD  acd  transparent  to  any  additional  inter¬ 
networking  functions  in  layer  3.  The  following  paragraphs 
illustrate  the  more  in-depth  design  details  concerning  the 
low  layer  protocols. 


1.  low  iaxsr 

The  physical  layer  1  protocol  of  the  proposed 

CSMA/CE  IEEE  802  standard  can  be  used  in  this  LAM  unchanged, 
layer  2  cf  the  CSMA/CD  protocol  requires  some  changes  in  the 
frame  format  and  procedure  parameters  to  adapt  the  secure 
IAN  architecture.  It  is  in  this  layer  where  the  security 
considerations  have  the  greatest  impact  on  the  protocols.  A 
data  security  level  field  will  have  to  be  added  and  the 
source  and  destinaticn  addresses  will  have  to  be  modified  to 
reflect  the  two-component  nature  of  an  address  (local 
network  number,  TIO  address).  In  figure  6.1  the  IEEE 

CSMA/CD  link  layer  frame  format  is  shown  for  comparison  with 
the  anthers'  proposed  changes  (Bef.  2:  p.  3ft].  The  numbers 
at  the  left  of  each  format  indicate  the  number  of  bytes 

comprising  the  field.  The  importance  here  is  not  the  exact 

number  of  bytes  in  each  field  but  rather  the  differences 
between  the  "standard”  protocol  and  the  proposed  secure  LAN 
version.  Ihe  following  is  an  interpretation  of  the  fields 
of  figure  6.1(b) : 

Destination  Subnet  Number:  1  byte 

function:  Destination  local  subnetwork  number 


38 


Destination:  6  bytes 

function:  Address  on  the  subnetwork  of  the  TIU 

receiving  the  frame 


39 


Source  Subnet  Number:  1  byte 

function:  source  local  subnetwork  number 
Source:  6  bytes 

function:  Address  on  the  subnetwork  of  the  TIO 

sending  the  frame 
Security  Level:  2  bytes 

function:  Security  level  of  the  data  part  in 

the  frame 

Data:  Variable  (up  to  some  maximum)  number  of  bytes 

function:  Data  in  a  fully  transparent  form, 

i.e.,  any  bit  sequence  is  allowed 
Frame  Check  Sequence:  4  bytes 

function:  Contains  cyclic  redundancy  check 

(CRC)  value  computed  over  all  the  fields 
Note  that  tfce  length  of  the  basic  header  of  the 
frame  is  the  same  as  in  the  IEEE  802  specification  except 
that  the  header  has  keen  extended  by  usurping  part  of  the 
data  field  for  the  security  level.  Also  the  address  fields 
have  teen  subdivided  to  incorporate  the  subnetwork  number 
rather  than  adding  mere  fields.  The  particular  positions  of 
the  new  fields  were  chosen  to  make  maximum  use  of  antici¬ 
pated  off-the-shelf  components  and  well-tested  concepts  in 
the  design  of  the  secure  LAN.  The  reasoning  for  the  posi¬ 
tions  of  these  fields  will  be  discussed  further  when  the  TIO 
design  details  are  presented. 

The  CSHA/CD  link  layer  protocol  allows  two  types  of 
addressing  called  physical  and  multicast  addressing.  The 
physical  address  is  the  unique  address  of  a  station  whereas 
the  multicast  address  is  either  a  multicast-group  address  or 
broadcast  address.  A  broadcast  address  is  meant  to  denote 
all  the  stations  on  the  LAN,  and  a  multicast  address  is 
associated  with  a  greup  of  stations  on  the  LAN.  A  number  of 
conventicns  nay  be  implemented  to  distinguish  the  different 
types  of  addresses.  In  the  secure  LAN,  multicast  addressing 


AT 


can  te  allowed  for  stations  on  a  single  subnetwork  by 
adopting  similar  conventions  in  the  destination  field  of  rhs 
secure  LAN  link  protocol.  However,  in  order  to  allow  multi¬ 
cast  (group  or  broadcast)  addressing  throughout  all  the 
subnetworks  in  the  secure  LAN,  the  bridge  design  would  be 
sonewhat  complex.  Also,  only  unclassified  sources  could 
address  a  packet  to  all  destinations  in  a  multilevel  LAN. 
Sidhu  and  Gasser  do  net  address  the  "full”  multicast  exten¬ 
sion  at  this  time. 

It  should  be  noted  that  since  the  security  label  is 
part  cf  the  CSMA/CD  protocol,  the  part  of  the  TIU  respon¬ 
sible  for  maintaining  the  integrity  of  the  CSMA/CD  header 
must  be  trusted.  Various  aspects  of  handling  CSMA/CD  or 
higher  layer  protocols  (including  getting  data  within  the 
packet  transmitted  picperly)  need  not  be  subject  to  rigerous 
controls  placed  cn  the  development  of  trusted  systems.  This 
is  the  authors*  motivation  for  the  separation  of  functions 
that  will  te  discussed  later. 

CSMA/CD  alone  is  not  generally  suitable  fer  inter¬ 
networking,  however,  for  this  secure  LAN  architecture  the 
authors  felt  that  the  capabilities  of  CSMA/CD  are  adeguate 
for  communication  ameng  subscribers  among  a  small  number  of 
subnetworks.  The  authors  see  the  usa  of  CSMA/CD  alone  as 
one  of  the  means  by  which  the  design  can  be  made  simple  and 
implementable  in  the  near-term,  especially  considering  the 
additional  requirements  that  must  be  imposed  on  the  imple¬ 
mentation  cf  trusted  systems.  However,  in  the  long  term  as 
traffic  load  increases  and  the  number  of  subnetworks  grows, 
congestion  and  bottlenecks  may  require  a  more  powerful 
protcccl  appropriate  to  internetworking. 

This  security  architecture  does  not  depend  on  any 
particular  network  layer  protocol,  however  the  authors 
recommend  the  use  of  the  Doc  Internet  Protocol  (IP),  or  an 
enhanced  version  of  IP  as  outlined  in  Skeltons'  report 

41 


I 

* 


%•  \'a,  VA  .  V.  A  -V  .1 


[Bef.  15]  which  takes  into  account  some  characteristics  of 
local  area  networks.  IP  provides  a  primitive  form  of 
congestion  control.  By  considering  a  change  to  a  new 
protoccl  now,  the  appropriate  mechanisms  can  be  employed  to 
allow  for  future  enhancement  without  any  impact  on  the  users 
cf  the  LAN .  For  this  upgrade  of  the  CSHA/CD  protoccl  it 
would  be  reasonable  to  merge  CSHA/CD  with  limited  portions 
of  IP  responsible  for  addressing,  security,  and  congestion 
contrcl,  sc  that  the  separate  subnetworks  in  the  secure  LAN 
would  he  treated  as  separated  networks  by  the  merged 
CSH A/CD-IP  protocol.  This  simplifies  the  security  issue 
somewhat  anc  might  pcssibly  minimize  congestion  problems  in 
the  bridges  as  the  lead  on  the  LAN  increases.  More  comments 
on  IP  are  provided  in  section  F. 

2.  High  Laver  Protocols 

This  group  consists  cf  protocols  at  layer  4  and 
above  in  the  ISO  model.  They  use  the  services  of  the  lower 
layer  protocols  and  in  turn  provide  value  added  services  to 
a  protoccl  layer  or  user  abeve.  For  instance,  if  a  reliable 
end-to-end  data  transfer  service  is  required,  it  is  provided 
by  a  data  transfer  protocol  in  this  group  using  a  suitable 
end-tc-end  acknowledgement  scheme.  Various  other  features 
that  can  be  built  intc  high  layer  protocols  are  retransmis¬ 
sion  cn  time-out,  seguenced  delivery  of  packets,  flow  and 
congestion  control,  etc.  In  general,  the  secure  LAN  design 
does  not  depend  on  cr  affect  these  high  layer  protocols  in 
any  way,  however  conents  will  be  made  regarding  the  use  of 
DoD  standards  for  the  host-to-host  protocols,  the 
Transmission  Control  (Bef.  16]  and  Internet  (Bef.  17] 
Protocols  (TCP/IP).  It  should  be  noted  here  that  IP  dees 
not  fit  neatly  into  a  specific  layer  of  the  ISO  reference 
model  because  it  lies  somewhere  within  or  below  TCP  (which 
is  at  layer  4)  and  ateve  the  link  layer,  therefore  making  it 


a  "low  layer"  protocol.  The  low  layer  protocols  previously 
discussed  provide  the  basic  transport  mechanism  for  moving 
data  between  TIU's  is  the  LAN  and  through  the  bridges.  The 
protocols  together  provide  a  service  that  can  be  used  to 
support  a  variety  of  high  layer  protocols  depending  on  the 
applications.  Note  that  lower  layer  protocols  do  not 
provide  assurance  that  packets  will  be  delivered  or  that 
they  will  be  delivered  in  the  order  in  which  they  are  trans- 
sitted.  Ihere  is  also  no  automatic  end-to-end  acknowledge¬ 
ment  for  successfully  delivered  packets.  If  any  of  these 
features  are  desired  they  must  be  based  on  a  suitable  high 
layer  protocol. 

In  order  to  achieve  reliable  and  in-order  data 
delivery  at  a  destination  is  the  LAN*  TCP  can  be  implemented 
on  the  network  layer  protocol.  IP  and  TCP  are  DoD  standard 
protocols  for  a  "catenet"  (an  interconnected  system  of 
packet  stitched  computer  communication  networks)  [Ref.  18: 
pp.  287-305].  In  the  catenet  environment,  IP  provides  a 
datagram  service  from  a  source  to  a  destination  host.  It 
also  provides  for  fragmentation  and  reassembly  of  long  data¬ 
grams  for  transmission  through  networks  with  small  packet 
sizes.  TCP  is  a  ccnnection  oriented,  end-to-end  reliable 
host-to-host  protocol  for  data  delivery.  It  provides  for 
recovery  from  lost,  damaged,  duplicated  and  out-of-crder 
delivered  data  by  underlying  less  reliable  media.  The 
sending  TCP  assigns  a  sequence  number  to  each  transmitted 
packet  and  requires  a  positive  acknowledgement  (ACK)  from 
the  receiving  TCP.  If  this  ACK  is  not  received  in  a  speci¬ 
fied  time  out  interval,  then  the  sending  TCP  assumes  that 
the  packet  is  lost  and  retransmits  it.  The  sequence 
numbers  are  also  used  for  detecting  duplicate  or  out-of- 
crder  packets.  A  checksum  routine  is  used  to  detect  damaged 
packets  (note  also  that  the  CSBA/CD  protocol  already  detects 
damaged  packets  with  its  frame  check) .  TCP  also  has  a 


"win dew"  mechanism  fer  flow  control  that  regulates  the  data 
flow  between  source  and  destination. 

Sidhu  and  Gasser  mention  TCP,  not  only  because  it  is 
a  DoC  standard  and  therefore  likely  to  be  used  for  wide-area 
retwerks,  tut  because  they  feel  it  will  be  suitable  fer  use 
in  a  1AM  as  well.  since  users  of  the  LAN  will  have  a  need 
to  access  TCP-based  systems  on  wide-area  networks  via  a 
gateway,  great  difficulties  in  compatibility  can  be  avoided 
if  the  protocols  used  by  subscribers  throughout  the  LAN  are 
also  TCP  and  IP. 

Sidhu  and  Gasser  also  point  out  that  all  higher 
layer  protocols,  including  TCP,  are  unaffected  by  their 
secure  LAN  design,  however  it  is  important  to  note  seme 
potential  problems  that  may  cccur  with  certain  implementa¬ 
tions.  There  is  an  options  field  in  the  header  of  the  IP 
and  one  of  the  eptiens  may  be  the  security  label  fer  the 
packet.  Also,  higher  layer  protocols  may  include  such 
labelling.  But,  the  authors  have  designed  the  secure  LAN 
such  that  it  uses  a  security  label  in  the  low  layer 
(CSMA/CD)  protocol  instead.  Anything  above  layer  2  is 
simply  data  to  the  CSHA/CD  protocol  and  is  ignored  by  the 
trusted  portions  of  the  TIO.  If  an  untrusted  single- level 
host  created  that  data  and  is  responsible  for  handling  the 
TCP  and  IE  protocol,  then  any  higher  layer  security  labels 
cannot  be  believed  by  the  trusted  CSHA/CD  protocol  handler 
in  the  TIO.  Therefore,  for  the  single-level  and  variable- 
level  resource  scenarios  discussed  in  chapter  V,  which  allow 
cnly  single-level  hosts,  there  is  no  problem  in  ignoring  the 
IP  or  higher  layer  security  labels  and  using  only  the 
security  labels  in  the  CSHA/CD  layer  protocol.  The  security 
level  in  the  IP  header  night  be  used  to  specify  the  "real" 
level  of  the  data  contained  in  a  packet  labelled  by  a 
single-level  TIO  at  a  higher  level,  but  then  administrative 
contzcls  would  be  necessary  to  actually  downgrade  that 
packet. 


Ihe  multilevel  resource  scenario  requires  the 
ability  to  support  multilevel  hosts.  In  this  environment  a 
aultilevel  host  will  "choose"  the  security  level  of  each 
packet  it  sends,  and  this  level  oust  be  believed  by  the  Till, 
at  least  within  the  range  of  allowable  values.  Usually 
multilevel  hosts  support  several  processes  running  at 
different  security  levels  cn  a  single  operating  system. 
Therefore,  the  security  level  of  a  packet  depends  on  the 
level  of  the  process  that  sent  that  packet  and  is  inserted 
into  the  packet  by  the  trusted  operating  system  of  the  host. 
For  hosts  that  have  TCP  this  security  level  would  mere  than 
likely  be  associated  with  the  TCP  protocol  layer,  since  the 
TCP  is  the  layer  at  which  processes  are  identified. 

If  a  host  has  TCP,  then  the  fully  formed  TCP  packets 
are  transferred  into  the  TIU  with  some  control  information 
so  that  the  low  layer  protocol  envelope  can  be  created.  If 
TCP  were  tc  be  implemented  in  the  TIU  then  the  same  thing 
happens  hut  within  the  TIU  itself  (the  host  just  transfers 
"raw"  data  plus  some  control  information  to  the  TIU  sc  that 
the  proper  TCP  packets  are  created  by  the  TIU).  In  either 
case,  there  must  be  seme  means  by  which  security  information 
known  to  the  TCP  implementation  is  transmitted  to  the  lower 
layer  protocols  for  the  labels  that  are  the  basis  for 
security  markings  in  the  LAN. 

If  the  IP  and  CSNA/CD  protocols  were  to  examine 
security  labels  in  the  headers  of  higher  layer  protocols, 
then  this  would  be  a  violaticn  cf  the  ISO  concept  of  separa¬ 
tion  cf  protocol  layers  (lower  layer  protocols  are  not 
supposed  to  know  afccut  the  TCP  formats) .  Instead,  the 
security  label  would  have  to  be  passed  along  as  control 
informatior  (an  additional  parameter)  from  the  high  layer 
software  to  the  lowest  layer  interface.  Sidhu  and  Gassers' 
concept  appears  workable,  however  it  is  still  not  very  clean 
as  it  requires  inforaation  relevant  to  the  high  layer  data 
to  beccae  part  of  the  low  layer  protocol. 


For  eventual  upgrading  to  combine  IP  with  CSMA/CD, 
the  security  label  problem  is  somewhat  simplified  because 
the  label  already  in  the  IP  options  field  could  be  utilized. 
Eut  this  does  not  fully  eliminate  the  problem  where  the 
security  information  originates  above  the  TCP  layer. 


E.  TBUSTED  INTERFACE  OUT  fTIU) 

The  single-level  architecture  is  emphasized  in  this 
chapter.  Although  the  most  detailed  design  is  presented  for 
the  single  resource  scenario,  enhancements  will  be  discussed 
for  the  remaining  twc  scenarios.  The  major  goal  in  this 
architecture  has  been  to  provide  a  distinct  red/black  sepa¬ 
ration  within  the  TIU  and  to  minimize  the  complexity  and 
size  of  the  mechanism  in  the  red  area  that  is  responsible 
for  maintaining  security.  In  conventional  red/black  separa¬ 
tion  devices,  there  is  a  crypto  unit  between  the  two  sides. 
Csually,  neither  the  red  nor  the  black  side  is  responsible 
for  maintaining  security,  and  if  either  fails  it  is  unlikely 
that  the  crypto  unit  will  pass  intelligible  data.  In  cur 
TIU,  the  red  side  must  be  "trusted"  to  work  properly,  or  at 
least  to  prevent  accidental  disclosure  of  data,  despite  the 
possibility  of  hardware  failure.  Note  that  the  concept  of 
"red/black"  with  respect  to  the  TIU  refers  to  multilevel 
(trusted)  vs.  single-level  (untrusted)  rather  than  to  clas¬ 
sified  ms.  unclassified.  The  analogy  between  the  two  is 
useful,  however,  as  the  single-level  portion  may  be  unclas¬ 
sified,  but  it  might  also  be  classified  at  any  level  at  or 
below  the  maximum  of  the  multilevel  subnetwork  to  which  the 
TIU  is  attached.  In  any  case,  the  single-level  part  does 
not  need  tc  be  trusted.  For  many  cases,  such  as  TIUs 
serving  Top  Secret  subscribers  on  a  Top  Secret  network, 
significant  cost  savings  may  be  realized  by  providing 
non-TIHPEST  versions  cf  TIUs. 


Sidhu  and  Gasser  strongly  stress  their  motivation  for 
minimizing  the  amount  of  mechanism  in  the  TIU  requiring 
trust.  TIOs  may  be  quite  complex  and  research  has  demcn- 
strated  the  feasibility  of  implementing  most  of  the  TCP/IP 
in  the  LAN  interface  units  [Bef.  15].  They  do  not  expect 
that  it  will  be  possible  to  adequately  verify  a  large  body 
of  software  or  firmware  such  as  the  TCP/IP  in  the  time  frame 
required  for  the  single-level  and  variable-level  scenarios. 
The  verification  process  is  in  support  of  certification  (the 
technical  process  whereby  a  procedure,  program,  system 
component,  cr  system  (s)  are  shown  to  be  secure;  i.e.,  that 
the  security  design  specifications  are  correct  and  have  been 
properly  implemented  [Bef.  19:  p.  C-2  ]  )  of  the  TIC  for  a 
multilevel  LAN  application.  Therefore,  the  less  software, 
firmware,  and  overall  hardware  mechanisms  that  must  be 
trusted,  the  greater  the  probability  that  certification  for 
multilevel  operation  will  be  achieved.  The  feasibility  of 
implementing  a  single-level  TIU  is  based  on  the  rather 
trivial  increase  in  functionality  required  over  that  of  a 
conventicnal  interface  unit  (as  previously  demonstrated  by 
the  CSMA/CD  protocol  modifications  discussed  earlier) .  A 
simplex  cption  would  be  to  build  " untrusted"  interface 
units,  implementing  the  full  required  functionality,  rather 
than  going  with  the  trusted  TIUs  that  could  be  built  today. 
The  detailed  TIU  is  considered  more  of  a  technical  challenge 
cnly  because  of  the  red/black  cr  trusted/un  trusted  separa¬ 
tion  requirement. 

1  •  lingis-Level 

Figure  6.2  [Bef.  2:  p.  43]  depicts  the  architecture 
cf  the  single-level  TIU.  The  details  in  the  figure  have  not 
been  worked  out  to  date.  The  design  is  not  dependent  on 
whether  the  LAN  is  broadband  or  baseband,  but  it  does  depend 
on  the  use  cf  a  CSNA/CD  protocol.  It  is  also  not  dependent 


on  whether  a  "two  cable"  (separate  inbound  and  outbound 
cables)  or  single  cable  system  is  used. 


Ol 


(LAN  MEDIUM) 


BLACK 


BLACK  I  RED  I  INTERFACE 


CSMA/CD 


MEMORY 


|  |  SECURITY  PROCESSOR 

L _ L _ 


MICROPROCESSOR  BUS 


I/O  PORT 


TERMINAL  OR  HOST 


Figure  6.2  Trusted  Interface  Onit  (Tin)  Architecture. 


Ike  dotted  line  denotes  the  portions  of  the  LAN  and 
the  LAN  medium  that  carry  multilevel  data.  The  TIU  is 
termed  "single-level"  because  it  allows  its  subscribers  to 
send  cr  receive  data  at  only  one  specific  security  level, 
the  level  being  determined  during  manufacture  of  the  red 
side  circuitry  or  by  some  maintenance  function  on  the  red 


'  riiT  *\i 


side.  The  zed  side  ci  the  TIU  is  actually  multilevel  secure 
in  the  sense  that  it  sorts  out  the  single-level  data  from 
multilevel  data  received  from  the  LAN  medium,  and  is  subject 
to  the  controls  necessary  for  trusted  multilevel  operation. 

four  components  reside  within  the  red  area;  all 
physically  protected  to  the  highest  level  of  the  subnetwork: 

lO  medium:  This  is  in  the  red  because  it  carries 
multilevel  data  in  the  clear.  It  is  a  passive  cable 
where  the  only  •’failure”  could  be  denial  of  service 
rather  than  compromise. 

Inter^frcg:  This  portion  of  the  TIU  provides  the 
physical  interface  to  the  cable.  This  is  a  passive 
system  and  cculd  fail  by  denying  service  to  the 
subscriber  at  this  TIU. 

CSHA/CD:  This  is  the  hardware  that  implements  most 
cf  the  CS  H A/CD  prctcccl  and  destination  address 
recognition.  For  IEEE  802  and  similar  protocols 
such  as  Ethernet,  the  authors  expect  that  cff-the- 
shelf  hardware  will  be  available  to  provide  most  of 
the  logic  tc  recognize  valid  incoming  packets 
destined  for  this  TIU  and  to  handle  the  contention 
and  retransmission  algorithms  necessary  to  service 
an  outbound  packet.  This  hardware  may  also  handle 
frame  check  on  inbound  and  outbound  packets  and 
notify  the  security  processor  when  a  valid  packet 
has  been  received  or  transmitted.  Note  that  the 
CSHA/CD  component  must  be  trusted  to  leave  unmodi¬ 
fied  the  security  field  of  the  packet.  If  it  should 
make  an  errcr  in  address  recognition,  the  only 
compromise  will  be  need-to-know.  if  it  should  make 
an  error  in  recognizing  the  frame  check  (i.e. , 
accepts  a  packet  as  valid  despite  an  incorrect  frame 
check) ,  a  compromise  due  to  receipt  of  an 


incorrectly  narked  classified  packet  is  highly 
unlikely  due  to  the  other  checks  that  are  made  by 
the  CSMA/CD  interface  and  security  processor.  This 
design  should  be  fully  computable  with  off-the-shelf 
coaponents  because  the  overall  packet  format  and  the 
fields  used  by  possible  "standard"  CSMA/CD  inter¬ 
faces  are  left  unchanged.  The  source  and  destina¬ 
tion  addresses  are  treated  as  single  fields  tc  the 
CS HA/CD  interface — the  two-part  addressing  structure 
is  interpreted  only  by  the  bridges.  The  security 
level  field  is  ignored  by  the  CSMA/CD  interface  as 
if  it  were  part  of  the  "data". 


Security  Processor:  The  sole  purpose  of  this  compo¬ 
nent  is  to  examine  the  security  level  field  of 
inccaing  packets  for  legal  values  and  to  insert  the 
correct  security  level  into  that  field  on  cutgoing 
packets.  A  received  packet  that  gets  past  the 
CSMA/CD  component  (because  the  packet  has  the 
correct  destination  address)  but  has  the  wrcng 
security  level,  will  be  rejected  by  the  security 
processor.  The  security  processor  can  be  set  to 
accept  a  certain  range  of  values  for  incoming  levels 
including  only  one  specific  level.  However,  because 
the  single-level  TIU  assumes  that  nothing  outside 
the  red  area  is  trusted,  secure  communications  can 
only  take  place  at  a  single-level. 

Contained  in  the  black  area  of  the  TID  are  a  CPU, 


memory  and  I/O  ports.  That  part  of  the  CSMA/CD  protocol  not 
responsible  for  maintaining  the  header  and  security  label 


integrity  may  be  implemented  in  the  black  area  if  it  can  be 
conveniently  separated  from  the  CSMA/CD  processor.  Because 
the  black  area  deals  only  with  data  of  a  single  security 
level,  it  need  not  be  trusted  and  can  be  as  complex  as 


desired.  Even  if  the  black  TIO  software  contained  a  "Trojan 
Horse"  attempting  tc  exploit  a  covert  channel#  [Ref.  20:  pp. 
613-615]  it  would  not  te  able  to  transmit  data  on  the  LAN  to 
a  destination  of  the  wrong  level,  or  to  receive  data  from 
the  LAN  cf  the  wrong  level.  Proper  implementation  consider¬ 
ations  should  insure  that  even  timing  channels  could  not  be 
exploited  ty  untrusted  software  in  the  TIO  or  interfacing 
host . 

Cue  to  the  high  data  rate  possible  or.  a  LAN,  it 
should  be  stressed  that  covert  and  timing  channels,  if 
exploitable,  may  provide  illicit  high  bandwidth  communica¬ 
tions  paths  that  ma s  not  normally  be  important  for  slower 
communications  media  such  as  packet-switched  networks. 
Onless  all  the  interfacing  hosts  can  be  certified  net  to 
contain  subversive  (Trojan  Horse)  software,  adequate 
security  is  not  provided  by  a  LAN  unless  these  covert  chan¬ 
nels  are  closed.  The  authors  feel  that  the  secure  LAN 
architecture  presented  here  does  close  channels  for  all 
practical  purposes. 

Packets  coming  into  the  TIO  from  the  LAN  will  arrive 
bit-serially.  The  off-the-shelf  CSMA/CD  hardware  will  be 
designed  to  dump  data  one  byte  at  a  time  into  a  micrcpro- 
cesscr  memory  with  little  buffering  in  the  CSMA/CD  hardware 
itself.  Also,  the  CSMA/CD  hardware  checks  the  destination 
address  "on  the  fly".  If  the  destination  is  incorrect,  the 
rest  of  the  packet  is  ignored  (not  dumped  into  memory)  and 
the  CEO  is  not  notified.  If  t'he  address  is  correct,  the 
remainder  cf  the  packet  gets  deposited  until  the  frame  check 
at  the  end.  The  CFO  is  notified  of  correct  receipt  only 
after  the  frame  check  is  determined  to  be  correct. 

The  security  processor  must  work  in  conjunction  with 
the  CSMA/CD  hardware,  but  it  looks  only  at  the  security 
level  field.  It  will  refuse  to  pass  further  bytes  of 
incoming  data  from  a  packet  if  the  security  level  in  the 


51 


header  is  incorrect,  otherwise  it  transparently  passes  all 
data.  To  find  the  security  level  field,  it  must  recognize 
the  start  cf  a  frame.  On  output,  it  has  the  option  of 
setting  the  security  level  to  a  particular  value  or  checking 
that  the  value  inserted  by  the  CPU  is  correct  before 
transmitting. 

If  the  security  processor  and  CSMA/CD  hardware  are 
allowed  to  dump  incoming  packets  into  the  microprocessor 
memory  on  the  fly  before  the  packet  is  determined  to  be 
legal,  it  is  possible  that  several  bytes  might  be  dumped 
before  the  packet  is  recognized  as  not  being  for  the  current 
recipient  of  the  wrong  security  level.  If  this  were  to 
occur,  then  a  Trojan  Horse  in  the  untrusted  CPU  could 
attempt  to  read  partially- accepted  packets  even  if  the  CPU 
is  not  notified  of  correct  receipt  of  data.  However,  the 
possibility  of  compromise  would  be  limited  to  information 
that  could  be  communicated  via  a  covert  channel  in  the 
header  of  the  packet  because  the  remainder  of  an  unaccep¬ 
table  packet  does  net  appear  in  memory  at  all.  Given  these 
concerns  and  the  fact  that  the  authors  are  assuming  totally 
untrusted  software  in  tfc  black  side  of  all  TIUs,  it  is 
necessary  to  protect  against  this  threat  by  buffering,  in 
the  red  area  (probably  in  the  security  processor)  ,  the  first 
several  bytes  of  the  packet  until  the  packet  header  is 
determined  to  be  valid.  This  buffering  could  be  accom¬ 
plished  in  the  form  cf  a  shift  register  the  length  of  the 
header  up  to  the  security  field,  so  that  the  first  byte  dees 
not  enter  the  memory  until  the  header  is  read. 

Mote  here  that  even  if  the  header  is  buffered  and 
loaded  into  memory  only  when  the  security  level  is  valid, 
there  is  a  possibility  that  the  packet  might  still  be  in 
error,  and  that  error  would  not  be  detected  until  the  frame 
check  is  read.  If  this  were  to  happen,  a  complete  erroneous 
packet  would  be  sitting  in  memory  for  the  CPU  to  read. 


However,  it  is  highly  unlikely  that  both  the  destination  and 
security  level  will  check  out  correctly  if  the  packet  was  in 
error  and  net  intended  for  the  designated  recipient.  If  a 
trusted  mechanism  inserts  the  security  level  into  the  orig¬ 
inal  packet,  it  would  be  almost  impossible  for  untrusted 
mechanises  to  exploit  random  line  noises  in  an  attempt  to 
send  a  packet  to  an  unauthorized  destination.  This  cannot 
be  considered  a  useful  information  channel  since  it  cannot 
be  controlled  in  any  reliable  manner. 

Cn  a  cs HA/C E  network  there  may  be  many  illegal 
packets  received  due  to  collisions.  It  is  therefore 
possible  that  a  packet  from  a  low  security  level  TIU  can 
collide  with  a  transmission  from  a  high  level  TIU,  yielding 
a  packet  cortaining  a  mixture  of  levels.  However,  if  the 
authors*  trusted  CSMA/CD  hardware  works  correctly,  and  if 
the  network  is  correctly  configured  according  to  the 
distance,  spacing,  and  other  electrical  requirements  of  the 
hardware  and  medium,  all  collisions  will  be  detected  before 
the  field  containing  the  security  level  is  reached.  A  basic 
tenet  of  CS HA/CD  protocols  is  that  collisions  can  only  occur 
during  the  transmission  of  the  first  several  bytes  of  data. 
All  transmitting  TIOs  sensing  a  collision  should  stop  trans¬ 
mitting  well  before  they  begin  to  send  the  data  field  of  the 
packet,  and  the  "listen  before  talk"  concept  prevents  a  TIU 
from  transmitting  in  the  middle  of  another  TIU's  data  field. 
Therefore,  the  maximum  amount  of  high  security  level  infor¬ 
mation  that  could  be  mixed  in  with  a  low  level  packet  would 
be  the  destination  and  probably  the  source  fields. 
Utilizing  the  authors'  header  buffering  scheme  in  the 
security  processor,  any  collision  would  occur  well  before 
any  of  the  high  level  data  was  loaded  into  memory.  Even  if 
a  malfunction  prevents  the  transmitting  TIUs  from  stopping 
at  a  collision,  it  is  unlikely  that  the  garbled  security 
level  field  will  be  acceptable  to  the  receiving  TIU.  The 


use  of  suitable  encoding  of  values  in  the  security  level  can 
further  ninimize  the  chance  of  error.  Also,  auditing  can 
detect  such  malfunctions. 

In  this  initial  version  a  TCP  and  IP  implementation 
in  the  TID  will  he  located  in  the  untrusted  portions.  If  IP 
were  tc  be  further  integrated  into  CSMA/CD,  at  least  a 
portion  of  it  would  have  to  be  contained  within  the  security 
perimeter. 

2.  Variable-Level  TIP 

Since  there  will  be  a  need  in  the  HIS  community  for 
terminals  tc  run  at  a  variety  of  levels,  a  minor  enhancement 
to  the  security  processor  in  the  TIO  could  be  performed  to 
accommodate  this  " variable- level"  capability.  The  authors 
propose  the  use  of  a  rotary  switch  hardwired  to  the  red  side 
of  the  TIU  so  that  the  user  can  manually  select  the  level  at 
which  he  intends  to  operate.  It  is  assumed  that  the  user  is 
cleared  to  access  any  security  level  available  on  the 
switch.  The  only  purpose  of  the  switch  is  tc  allow  the 
security  processor  tc  receive  and  transmit  properly  marked 
data  at  a  level  belcw  the  maximum  of  the  TIO.  Since  the 
black  side  of  the  TIO  that  reads  terminal  input  is  not 
trusted,  the  security  level  cannot  be  entered  from  the 
terminal  keyboard  as  "normal”  keystrokes.  Mete  that  if  the 
user  forgets  to  set  the  rotary  switch  to  the  correct  level 
of  the  destination  with  which  be  is  communicating,  communi¬ 
cation  will  fail.  Consider ation  should  be  given  to  the  fact 
that  any  change  of  the  switch  position  (to  a  lower  security 
level)  must  result  in  an  automatic  reset  of  the  black 
porticn  of  the  TIO  and  clearing  of  all  its  buffers  and 
memory.  It  can  be  seen  that  this  variable-level  capability 
would  not  function  well  in  support  of  the  user  who  must 
rapidly  switch  between  levels.  This  switching  option  really 
cnly  supports  the  ability  tc  logon  and  communicate  with  one 


single-level  host  at  a  tiae  as  does  the  single-level  TIU. 
It  does,  however,  avoid  the  need  for  separate  TlOs  or  tervi- 
nals  for  the  different  levels  at  which  a  user  might  want  to 
logon. 

Sidhu  and  Gasser  have  ignored  the  issue  of  hew  to 
manage  the  terminals  that  are  connected  to  these  variable- 
level  TICs.  To  enforce  security  it  is  necessary  that  any 
memory  in  a  terminal  be  scrubbed  in  a  prescribed  manner 
before  lowering  the  level  of  a  terminal.  This  may  be  admin¬ 
istratively  handled  as  a  manual  procedure  required  at  each 
level  change,  but  the  ease  of  turning  a  rotary  switch  on  the 
TIU  might  dictate  mere  automatic  scrubbing  of  the  terminal 
linked  to  the  switch  or  controlled  by  the  TIU  itself  to 
protect  against  human  error.  The  overall  problem  here  is 
how  to  appropriately  deal  with  the  additional  flexibility 
afforded  by  the  variable-level  TICs  without  increasing  the 
risk  of  accidental  compromise  by  the  user. 

3.  fiflli iiSIfii  US 

A  true  multilevel  TIU  would  allow  the  subscriber  to 
make  packet-by- packet  decisions  as  to  what  the  level  should 
be  and  would  receive  packets  of  a  range  of  levels,  marking 
them  appropriately  in  a  trusted  manner.  If  the  security 
level  decisions  and  packet  markings  were  specified  by  mecha¬ 
nisms  outside  the  TIU  (e.g. ,  multilevel  host  TCP) ,  then  the 
entire  TIU  must  be  considered  trusted  and  in  the  red.  This 
would  then  make  the  security  processor  redundant  unless  the 
LAM  contains  information  of  levels  outside  the  multilevel 
host  range.  Formal  certification  of  a  considerable  amount 
of  TIU  software  might  be  required,  depending  on  the 
complexity  of  the  protocols  implemented  in  the  TIU.  For 
TIUs  that  implement  complex  functions  it  may  be  possible  to 
construct  a  TIU  that  has  a  form  of  hardware  and  software 
protection  so  that  part  of  the  TIU  can  be  trusted  and  part 


*.  •*.  \  *.  ",  .  . 


entrusted,  similar  to  what  is  done  for  trusted  operating 
systems.  Further  study  is  needed  to  determine  whether 
building  and  trusting  such  a  protection  mechanism  is  simpler 
than  the  effort  to  build  and  trust  the  entire  TIU.  Building 
a  multilevel  TIU  is  the  least  of  the  problems  in  achieving  a 
general  xultilevel  computing  capability  because  trusted 
hosts  and  sultilevel  terminals  must  be  available  first. 

E.  EBIDCES 

Since  a  bridge  is  to  examine  the  packet  headers  created 
by  the  TICs,  the  bridge  has  a  TIU-type  interface  on  each  of 
the  networks  to  which  it  is  attached  and  implements  TIU 
protocols.  Each  bridge  also  recognizes  the  destination 
address  cf  packets  passing  by  on  its  respective  subnetworks. 

In  general,  bridges  must  pass  multilevel  data  frem  cne 
multilevel  subnetwork  to  another,  therefore  there  is  little 
motivation  for  providing  simple  red/black  separation  as  in 
the  TIUs  (unless  one  of  the  subnetworks  is  single-level). 
The  authors  envision  the  bridge  to  consist  entirely  of 
trusted  hardware  and  software.  The  architecture  for  a 
bridge  cculd  be  constructed  that  would  allow  at  least  seme 
cf  the  irternal  functions  tc  be  untrusted,  but  their  design 
is  simple  enough  so  that  an  additional  mechansim  tc  separate 
the  trusted  and  untrested  portions  is  probably  unwarranted. 
This  is  especially  true  because  it  is  expected  that  the 
bridge  will  work  at  the  protocol  layer  in  the  TIU  at  which 
the  trusted  TIU  functions  (security  processor  and  CSHA/CD 
protocol  handler)  already  operate,  thereby  allowing  the 
explcitaticn  of  similar  mechanisms. 

First  the  full  bridge  that  implements  only  the  CSHA/CD 
and  physical  layer  protocols  will  be  discussed.  Figure  6.3 
(Bef.  2:  p.  48]  represents  the  logical  structure  of  the 
bridge,  interposed  between  two  subnetworks.  The  figure 


56 


shows  the  flow  of  packets  as  they  arrive  from  one  subnetwork 
on  the  left  and  are  sent  to  the  other  on  the  right.  This  is 
a  “half-duplex"  illustration  (the  entire  bridge  consists  of 
two  identical  structures  of  figure  6.3  for  full  duplex  oper¬ 
ation)  ,  although  in  reality  seme  of  the  hardware  (i.e. , 
CSMA/CD  interface  on  each  side)  might  be  shared  for  both 
directions  as  in  a  TIU.  Mote  that  the  half-duplex  bridge  is 
not  the  same  as  the  half-bridge  as  illustrated  in  figure 
4.2. 

The  bridge  construction  is  similar  to  two  TIUs  back-to- 
back  with  modified  address  selection  and  security  processor 
mechanises.  A  buffer  at  least  large  enough  to  hold  one 
complete  maximum  size  packet  in  each  direction  is  necessary 
because  the  CSMA/CD  protocol  requires  the  ability  to  retain 
the  packet  for  retraesmissien  when  a  collision  occurs.  To 
ensure  greater  reliability,  there  should  be  several  packet 
buffers  cn  the  transmit  side  so  that  temporary  congestion  on 
the  receiving  subnetwork  can  be  smoothed  out.  Multiple 
receiving  buffers  could  also  be  used  to  take  care  of  tempo¬ 
rary  bursts  of  packets  arriving  faster  than  the  bridge  can 
process  them.  Note  that  this  buffering  capacity  will  net  be 
able  to  take  care  of  one  subnetworks'  consistently  being 
unable  to  accept  data  as  fast  as  another  subnetwork  is 
sending,  since  such  buffers  would  quickly  fill  up.  Only 
temporary  overloads  can  be  handled.  This  buffering  capa¬ 
bility  does  allow  the  use  of  a  slower  processor  in  the 
bridge  that  is  only  capable  of  handling  an  average  load 
rather  than  the  peak  load  without  any  noticeable  degradation 
of  service. 

Packets  broadcast  on  the  sending  subnetwork  arrive  at 
the  bridge  (upper  left  of  figure  6.3),  and  are  selected  for 
acceptance  into  the  input  buffers  based  on  the  destination 
field  in  the  header  and  the  routing  table  within  the  bridge 
that  specifies  which  destinations  to  accept.  It  is  expected 


>V 


>V 


*•'1 


SENOING 

SUBNETWORK 


RECEIVING 

SUBNETWORK 


is  an  explicit  part  cf  the  destination  field.  If  the  input 
buffers  should  fill  to  capacity,  then  the  CSMA/CD  interface 
could  be  turned  off  sc  that  all  packets  are  simply  rejected, 
which  is  sinilar  to  what  the  Tin  does  when  its  buffers  are 
full. 

The  packets  that  have  been  buffered  on  the  input  side 
are  then  processed  by  the  bridge  for  security  restrictions, 
and  the  acceptable  packets  that  satisfy  all  the  security 
checks  are  placed  into  the  output  buffers  fcr  transmission 
without  further  irodification  of  any  of  their  fields. 

Note  that  because  the  bridge  only  implements  CSMA/CD, 
requiring  no  acknowledgement  or  reply  of  any  kind,  there 
need  not  be  a  logical  cr  physical  connection  between  the  two 
half-duplex  portions  cf  the  bridge.  Therefore,  one  option 
to  enhance  performance  might  be  to  limit  each  bridge  to 
half-duplex  operation;  twc  such  bridges  would  be  required 
between  each  pair  of  subnetworks. 

1  -  3S c u£it x  Pressing 

The  major  part  of  the  bridge  processing  is  in  the 
security  processing,  not  in  the  routing,  which  is  done 
before  input  buffering  by  selective  acceptance  of  packets. 
Packets  removed  from  the  input  buffer  are  examined  by  the 
bridges*  security  processor  for  acceptable  security  level 
fields  based  on  both  the  receiving  and  sending  subnetworks* 

security  levels.  It  enforces  both  minimum  and  maximum 

• 

levels.  Packets  arriving  at  the  bridge  must  be  marked  at 
least  at  the  tiniaua  level  of  the  sending  subnetwork. 
Packets  aarked  below  that  ainimum  would  either  be  upgraded 
by  the  bridge  or  rejected  and  audited  as  illegal.  If  a 
packet  were  audited  as  illegal  then  it  was  probably 
warranted  as  a  aarking  that  is  too  low  as  a  result  of  a 
faulty  TIU  cr  configuration  problem,  or  an  indication  of  a 
hardware  penetration  attempt.  However,  auditing  would 


probably  be  aore  efficiettly  implemented  by  a  special 
"security- *atch "  TIO  that  scans  all  packets  rather  than  by 
the  bridge.  Packets  above  the  maxiaum  of  the  sending 
subnetwork  should  also  be  audited,  but  in  any  case  they 
should  not  be  downgraded  due  to  the  possibility  that  a 
configuration  error  aay  cause  data  of  too  high  a  level  to  be 
placed  on  the  sending  subnetwork.  The  checks  with  respect 
to  the  sitisua  and  aaxiaua  levels  of  the  receiving  subnet¬ 
work  are  siailar,  except  that,  if  the  packet  is  cut  of 
range,  it  is  not  necessarily  due  to  a  fault  in  a  TIO  or 
configuraticn  problea.  The  sender  aay  siaply  have  mis¬ 
addressed  the  packet  to  a  receiver  on  the  wrong  subnetwork. 
In  scoe  cases  it  aay  be  acceptable  for  a  low  level  TIO  to 
send  a  packet  to  a  high  level  TIO  for  certain  applications. 
Such  a  packet  aay  have  to  be  upgraded  by  the  bridge  tc  the 
ainiaua  level  of  the  receiving  subnetwork,  but  it  should  be 
able  tc  be  read  by  the  destination  TIO  without  any  security 
probleas. 

Since  it  is  possible  for  the  bridge  to  know  the 
security  level  cf  the  final  destination  subnetwork  and  to 
coapaze  that  level  with  the  security  level  of  the  packet, 
there  appears  to  be  nc  reason  for  added  coaplexity  to  check 
any  acre  than  the  level  of  the  next  subnetwork  to  which  the 
packet  is  forwarded.  This  is  especially  true  since  the 
destination  TIO  or  last  bridge  in  the  sequence  aust  sake  the 
final  security  check  anyway.  Therefore,  the  bridges'  knowl¬ 
edge  of  the  subnetwork  structure  of  the  LAN  need  not  go 
further  than  the  two  subnetworks  to  which  it  is  connected. 

Since  the  authors  indicate  that,  for  expedience,  it 
probably  will  be  necessary  to  trust  the  entire  bridge,  the 
cnly  part  of  the  bridge  that  actually  enforces  security  is 
the  security  processcr.  Therefore,  the  routing,  transais- 
sion  and  buffering  aechanisas  need  only  be  trusted  net  to 
aodify  any  of  the  packet  inferaation.  Once  the  security 


processor  has  accepted  a  packet,  mis-routing  (to  the  wrong 
110)  cannot  result  in  a  security  violation. 

2.  concepts 

Hany  possibilities  exist  for  multiple  paths  froo  a 
source  to  a  destination  at  a  LAN  site  since  a  subnetwork  may 
have  a  number  cf  bridges  attached  to  it  and  a  bridge 
connects  two  subnetwcrks  to  each  other.  In  such  a  situ¬ 
ation,  a  bridge  might  be  required  to  decide  which  path  to 
transmit  a  packet  based  on  the  dynamics  of  the  load  on  the 
two  subnetworks.  This  decision-making  capability  sounds 
desirable,  but  the  authors  have  designed  their  bridges  with 
static  rcuting  for  simplicity.  Therefore,  restrictions  are 
needed  to  define  only  one  logical  path  between  each  pair  of 
source  and  destination  addresses  (for  multiple  physical 
paths)  in  the  LAN.  Such  a  unique  path  from  a  source  to  a 
destination  can  be  ensured  by  requiring  that  only  one  bridge 
on  a  subnetwork  can  receive  a  packet  destined  for  any  ether 
subnetwork  at  a  site. 

The  routing  table  in  the  bridge  decides  if  a  data 
packet  on  one  subnetwork  should  be  picked  by  it  for  broad¬ 
cast  intc  the  other  subnetwork.  The  bridge  will  read  the 
destination  subnetwerk  number  in  xhe  header  part  of  the 
packet  and  pick  the  packet  for  transmission  to  the  ether 
subnetwork  if  the  bridge  provides  logical  connectivity  to 
the  destination  subnetwork.  This  means  that  a  bridge  must 
store  information  abcut  all  the  destination  subnetworks  that 
lie  cn  logical  paths  through  it.  An  easy  way  of  storing 
this  information  in  a  bridge  is  in  th9  form  cf  a  row  vector 
as  depicted  in  figure  6.4(a)  [Ref.  2:  p.  51],  where  1  in 
column  n  means  that  this  bridge  will  pick  packets  destined 
for  a  remote  subnetwerk  numbered  n.  Note  that  this  struc¬ 
ture  would  entail  programming  a  different  row  vector  into 
each  bridge.  In  order  to  simplify  configuration  management. 


61 


*  -  r  »  —  —  - 


V 


I 


it  may  be  more  desirable  to  make  the  tables  in  all  bridges 
identical.  To  accomplish  this,  the  row  vectors  could  be 
combined  for  all  bridges  into  an  MXN  matrix  as  shown  in 
figure  6.4(b)  [Ref.  2:  p.  51],  where  M  is  the  total  number 


LOCAL  NETWORK  # 


1  (0)  in  column  n  means  that  bridge  will  (not) 
pick  packets  destined  for  subnetwork  n. 


LOCAL  NETWORK  # 


B  1 
R 

I  2 
D 

(b)  G  3 


Figure  6.4  Fixed  Routing  Tables. 

cf  bridges  and  N  is  the  number  of  subnetworks  in  the  LAN. 
To  keep  this  design  simple,  the  routing  information  in  the 
matrix  is  static  (dees  not  change  with  time).  The  design 


does  allow  for  future  enhancements  to  include  dynairic 
updating  of  the  routing  information  in  the  bridges,  however 
this  would  be  at  the  expense  of  introducing  considerable 
complexity  in  the  trusted  bridge  software. 

3 .  Buffering 

There  is  a  total  finite  buffer  capacity  in  each 
bridge  fcr  holding  packets  received  from  one  subnetwork  for 
transmission  into  the  other  subnetwork.  Both  the  input  and 
output  buffers  work  in  a  first-in,  first-out  (FIFO)  fashicn, 
in  that  packets  arriving  first  are  first  to  be  processed  or 
transmitted.  It  was  previously  stated  that  if  the  bridge's 
buffers  are  full,  then  it  will  turn  off  the  CSMA/CD  inter- 
faca  so  that  additional  packets  are  ignored  until  mere 
buffer  space  beccmes  available.  This  situation  would  prob¬ 
ably  occur  when  the  receiving  subnetwork  is  overloaded  with 
excessive  collisions,  or  because  the  bridge  is  not 
processirg  the  input  load  fast  enough. 

The  authors'  strategy  of  ignoring  new  packets  when 
buffers  are  full  is  cnly  one  option.  Another  option  is  for 
the  bridge  to  throw  cut  the  oldest  packet  it  has  received  to 
make  zeem  fcr  new  ones.  This  option  might  be  justified  on 
the  assumption  that  by  the  time  the  bridge's  buffers  fill 
up,  the  oldest  packet  in  the  bridge  is  likely  to  be  retran¬ 
smitted  by  the  sender  anyway.  Throwing  out  the  oldest 
packet  may  avoid  duplication  of  packets  at  the  destination 
or  flooding  the  LAN  with  duplicate  packets.  Note  that  any 
such  retransmission  would  only  be  implemented  in  the  high 
layer  protocol  (e.  g. ,  TCP)  that  has  a  timeout  option  since 
the  authors  have  assumed  that  low  layer  LAN  protocols  will 
not  retransmit.  An  extensicn  of  this  may  be  to  automati¬ 
cally  purge  any  packet  in  a  bridge  that  has  been  resident 
longer  than  a  certain  fixed  maximum  time,  a  maximum  that  is 
keyed  to  the  anticipated  higher  layer  protocol  timeouts. 


ullzSiiiass 

whenever  two  classified  subnetworks  cannot  be 
brought  into  close  physical  proximity,  a  bridge  must  be 
split.  In  other  words  each  half-duplex  bridge  would  be 
split.  This  situation  would  only  occur  if  there  were  no 
encryption  technology  able  to  encrypt  the  LAN  medium  itself. 
The  csma/CD  interfaces  on  the  transmit  and  receive  sides  of 
the  bridce  must  be  physically  close  to  the  LAN  media  due  to 
timing  constraints.  Therefore,  the  design  issue  here  is 
how  tc  divide  the  internal  functionality  of  the  bridge  so 
that  enough  hardware  can  exist  on  either  side,  adjacent  to 
the  CSHA/CD  interface,  to  communicate  with  the  local  subnet¬ 
work,  while  providing  a  reliable  encryptable  serial  link 
between  the  two  halves. 

If  the  half-duplex  bridge  (figure  6.3)  were  to  be 
split,  then  it  is  clear  that  security  considerations  dictate 
that  th j  security  processor  lie  on  the  left  (receiving)  side 
if  the  sending  subnetwork  is  at  a  higher  level  than  the 
receiving  subnetwork.  If  the  sending  subnetwork  is  at  a 
lower  security  level,  no  security  processor  is  required  at 
all.  With  two  subnetworks  of  different  levels,  there  should 
be  a  security  processor  to  filter  packets  going  in  one  of 
the  two  directions.  If  minimum  levels  are  to  be  enforced, 
security  processors  would  be  required  in  both  directions. 
From  these  conclusicns  it  is  clear  that  there  must  be  a 
security  processor  cn  the  receiving  side  of  each  half¬ 
bridge,  and  that  the  serial  encrypted  link  would  lie  between 
the  security  processor  and  the  transmit  buffers.  However,  a 
great  deal  of  design  work  is  required  in  this  area. 


64 


I.  1108  ANE  CONGESTICB  C0HTE01 


Flow  and  congestion  controls  are  mechanisms  that  control 
the  traffic  in  the  network  so  that  network  resources  are  not 
oversubscribed.  Flew  control  regulates  the  rate  cf  flew  of 
information  between  two  points  in  the  network.  congestion 
control  is  inherently  a  multipoint  mechanism  that  controls 
the  tctal  amount  of  traffic  entering  the  network  to  prevent 
overload  cn  the  aggregate  network  resources,  thereby  keeping 
the  network  throughput  at  an  acceptable  level. 

Flew  control  in  the  secure  LAN  is  implemented  in  the 
higher  layer  protocols.  Congestion  issues  in  the  secure  LAN 
differ  from  that  in  ether  LANs  only  because  bridges  are  the 
links  between  the  subnetworks.  Congestion  should  be  a 
concern  here  because  of  the  possibility  of  overload  in  a 
particular  subnetwork  by  its  own  subscribers  and  packets 
arriving  from  the  bridges.  If  a  subnetwork  is  heavily 
congested,  repeated  collisions  will  occur  on  attempts  by 
bridges  (and  TIUs)  to  transmit  packets  to  the  subnetwork. 
This  will  probably  slew  down  the  rate  of  packet  flow  through 
the  bridge  and  result  in  backup  of  the  bridges'  buffers.  In 
this  situation,  the  bridge  would  simply  ignore  incoming 
packets  it  cannct  buffer,  therefore  implementing  a  crude 
form  cf  congestion  control  at  the  link  level  protocol.  This 
is  probably  not  a  completely  satisfactory  solution  to  the 
potential  cf  congestion  on  a  subnetwork  for  flew  prcblems 
caused  by  bridges  and  it  is  due  to  the  limitations  of  the 
CSHA/CD  protocol.  Another  option  to  this  might  be  to  imple¬ 
ment  a  layer  of  protocol  on  or  within  the  link  level 
protocol  in  the  bridges  that  can  be  used  to  quench  the 
source  (s)  cf  data  feeding  traffic  into  a  congested  bridge  or 
subnetwork.  This  option  might  consist  of  implementing  part 
cf  the  Internet  Protocol  (IP)  in  the  bridges,  either  as  part 
cf  the  CS9A/CD  protccol  or  as  a  layer  above.  congestion 


ccnticl  cf  the  IP  involves  the  transmission  of  a  control 
packet  from  the  bridge  back  to  the  transmitting  110  that 
stops  the  flow  of  incoming  packets.  Implementation  of  a  new 
protocol  in  the  bridge  that  is  not  security- relevant  brings 
added  complexity  to  the  issue.  The  cost  of  a  bridge  that 
isolates  the  security-relevant  portions  would  be  signifi¬ 
cantly  greater  than  the  simple  "pure”  CSMA/CD-based  bridge 
which  is  all  trusted.  The  ether  alternative,  which  is  fully 
trusting  the  bridge  containing  the  IP,  may  be  infeasible  due 
to  the  complexity  of  a  full  IP. 


VII.  SOBHABY 


The  sole  points  cf  access  to  media  containing  data  at 
multiple  security  levels  are  the  TIOs  and  bridges. 
Therefore,  they  must  be  "trusted"  by  LAN  subscribers  to 
correctly  perform  these  functions  and  only  those  specified 
for  them.  Such  trust  is  usually  the  result  of  a  thorough 
verification  process  that  examines  both  normal  and  fault- 
ridden  processing.  A  basic  trade-off  exists  between  the 
cost  and  effort  cf  conducting  this  process  versus  the  assur¬ 
ance  gained  from  it. 

The  it pleoentaticn  of  the  CSHA/CD  (within  the  TIO) 
access  discipline  must  be  trusted  never  to  modify  data,  nor 
their  associated  security  label.  The  implementation  of  the 
security  processor  must  be  trusted  never  to  modify  data  nor 
their  security  level,  to  perform  its  checking  function 
correctly,  and  to  maintain  the  correct  security  level  for 
its  attached  host  or  terminal. 

Three  phases  of  design  implementation  are  envisioned 
which  tear  directly  on  the  issue  of  trust.  The  first  phase 
calls  for  single-level,  untrusted  host  and  terminal  subscri¬ 
bers.  The  second  phase  calls  for  untrusted  hest  and 
terminal  subscribers  which  may  change  security  levels 
(following  appropriate  sanitization  procedures)  from  time  to 
time.  Bach  such  change  requires  re-informing  the  TIO  of  the 
applicable  security  level.  The  third  phase  calls  for  the 
trusted  host  and  terminal  subscribers  capable  of  simultane¬ 
ously  supporting  and  governing  untrusted  processes  running 
at  different  security  levels.  This  phase  calls  for  the 
rapid  multiplexing  of  multilevel  data  exchanges.  The  ether 
two  phases  require  that  the  TIU  enforce  a  single  security 
level  unless  there  is  a  manual  intervention.  The  third 


67 


phase  alsc  implies  that  the  attached  subscribers  are  trusted 
to  ccrrectly  label  outgoing  data. 

A  better  approach  might  be  to  design  a  Data  Base 
Management  System  (DEKS)  that  would  handle  data  labelling. 
However,  this  protection  would  have  to  be  extensive  since 
any  variables  extracted  from  classified  files  would  somehow 
have  to  carry  that  same  classification  level  throughout. 

The  bridges  connecting  discrete  LANs  pose  a  greater 
requirement  for  trusted  functions.  Their  implementations  of 
the  CSMA/CE  discipline  and  the  security  processor  require 
the  same  trust  as  these  of  the  Till.  The  management  of  the 
buffer  space  requires  verification  that  no  message  intermix¬ 
ture  nor  ether  modification  can  occur.  Finally,  the  fact 
that  a  bridge  spans  twe  networks,  each  holding  multilevel 
data,  means  that  the  bridge*s  security  processor  must  func¬ 
tion  as  a  multilevel  cne,  with  attendant  complexity  in  the 
verification.  Note  that  the  aforementioned  consequences 
were  not  addressed  by  the  authors  in  their  design. 

1.  1EVANTAGES 

1.  This  design  concept  enforces  a  multilevel  security 
policy  ever  a  collection  of  local  networks  and  their 
subscribers,  and  it  is  intended  to  prevent  security  compro¬ 
mises  ameng  cleared  but  untrusted  processes.  Therefore,  an 
untrusted  but  highly  classified  process  cannot  address  and 
send  classified  data  to  a  process  classified  at  a  lower 
level  just  as  it  cannct  downgrade  information  that  it  places 
cn  the  LAN  medium.  An  untrusted  process  classified  at  a 
lower  level  cannct  gain  access  to  data  on  the  media  that  are 
classified  at  a  higher  level. 

2.  The  consequences  of  fault  conditions  that  can  cccur 
during  LAN  operations  are  addressed.  The  error-checking 
procedures  cf  the  CSBA/CD  function  make  it  unlikely  that  bit 


errors  can  simultaneously  cause  classified  data  tc  be 
aismarked  in  the  seccrity  field  and  aisrouted  in  the  address 
field.  Either  of  these  errors  will  cause  data  tc  be 
rejected  by  the  addressee's  TIO.  Also,  collision  detection 
makes  it  extremely  unlikely  than  a  transmission  collision 
can  result  in  data  intermixing  and  a  resulting  compromise. 

3.  Convenience  is  the  chief  advantage  of  this  "trusted 
systes"  design.  It  allows  the  simultaneous  sharing  and 
protection  cf  data  it  an  environment  of  multiple  LANs.  Even 
though  it  has  some  advantages  of  building  on  existing  tech¬ 
nology,  the  design  costs  could  be  quite  expensive  due  to  the 
data  management  engineering  that  would  have  to  be  built  into 
the  gates  and  bridges. 

B.  DISADVANTAGES 

1.  The  design  concept  presented  can  handle  multiple 
security  levels  but  has  generally  ignored  the  ccntrcl  of 
need-tc-know.  in  order  to  implement  this  requirement  there 
must  he  additional  mechanisms  in  each  TIO  to  limit  values  of 
the  scurce  cr  destination  fields  in  the  packets.  Such  mech¬ 
anisms  would  rohably  add  considerable  complexity  to  the  TIO 
in  terms  cf  trusted  scftware.  Authorization  databases  could 
be  accessible  tc  TIOs  on  the  LAN  with  the  TIUs  making 
requests  for  connecticn  via  these  databases. 

2.  Each  TIO  attached  to  a  terminal  cannot  verify  the 
identity  of  the  user.  Each  TIO  must  believe  that  anyone 
with  physical  access  to  the  TIO  therefore  has  authorization 
to  access  anything  on  the  network  within  the  range  of 
security  levels  at  which  the  TIO  is  initialized.  Many 
complex  authentication  mechanisms  (passwords,  keys,  etc.) 
could  be  implemented,  but,  as  with  the  need-to-kncw,  the 
constraints  of  this  architecture  dictate  that  the  ultimate 
granter  cf  access  must  be  the  TIO  and  not  an  external  mecha¬ 
nism  cf  the  LAN. 


69 


3.  Even  though  the  secure  LAN  is  aultilevel  in  the 
sense  that  data  cf  different  security  levels  are  kept  sepa¬ 
rated  with  respect  to  subscribers  in  that  subnetwork  envi¬ 
ronment,  overall  security  of  the  data  on  the  subnetwork  from 
threats  outside  the  environment  depends  on  the  ability  to 
physically  protect  the  LAM  medium,  the  TIUs  and  the  bridges. 
Link  encryption  might  provide  protection  to  portions  of  the 
medium  that  cannot  he  physically  protected.  Except  where 
the  TIUs  and  bridges  connect  to  the  medium,  data  of  all 
security  levels  must  he  in  the  red.  Therefore,  if  there  is 
a  physical  security  breach  and  a  TIU  or  red  portion  of  the 
medium  is  compromised,  all  data  on  the  subnetwork  is  acces¬ 
sible  tc  the  penetratcr.  Only  techniques  that  encrypt  all 
data  on  the  medium  can  counter  such  an  attack.  This 
possible  threat  may  be  compounded  by  the  fact  that  because 
of  the  nature  of  the  broadcast  medium,  unauthorized  receipt 
of  data  fcy  a  compromised  TIU  or  line  tap  may  not  be  detec¬ 
table.  A  problem  related  to  this  is  a  possible  malfunction 
of  the  TID  resulting  in  receipt  of  data  by  the  subscriber 
for  which  he  was  net  authorized.  The  use  of  end-to-end 
encryption  would  prevent  such  a  compromise. 

Unauthorized  access  to  the  medium  or  compromise  of  a  TIU 
could  also  result  in  an  active  attack  where  a  penetrator 
injects  packets  into  the  network  to  cause  a  receipt  cf  clas¬ 
sified  data  or  tc  masquerade  as  a  classified  TIU. 

4.  There  is  no  way  to  remotely  disable  a  subscriber  or 
contrcl  access  between  subscribers  since  there  is  no  central 
authority  capable  of  granting  permission  for  two  TIUs  to 
communicate.  Authority  to  communicate  is  distributed  among 
all  the  TIUs  on  the  subnetwork. 

5.  Since  the  physical  subnetwork  is  assumed  to  be  rela¬ 
tively  static,  it  is  net  possible  to  install  a  new 


subscriber  of  an  arbitrary  security  level  anywhere  along  the 
medium.  Per  example,  if  in  a  building  containing  only  a 


Secret  subnetwork,  cne  wanted  to  add  a  Top  Secret  terminal, 
it  would  be  necessary  to  upgrade  the  entire  subnetwork  in 
the  building  to  Top  Secret,  or  to  link  that  Top  Secret 
terminal  tc  a  TIU  on  the  nearest  Top  Secret  subnetwork  in 
another  building  with  an  encrypted  line. 

One  advantage  of  general  IAN  technology  is  the  ability 
to  add  subscribers  wherever  desired  without  disruption  of 
service.  This  secure  LAN  architecture  retains  that  ability 
for  subnetworks  within  a  given  security  environment. 

6.  The  probl9B  of  congestion  depends  greatly  on  the 
physical  layout  of  the  LAN  and  its  subscribers.  The  authcrs 
did  not  address  the  issue  of  multiple  bridges  to  dynamically 
distribute  the  load  cn  the  bridges,  or  multiple  subnetwork 
connections  for  a  bridge  to  altar  routing  around  a  congested 
subnetwork.  Through  the  exchange  of  control  information 
between  bridges,  either  cf  these  enhancements  cculd  be 
easily  iiplemented.  The  congestion  problem  should  be  taken 
into  account  because  the  subnetwork  structure  is  mere  likely 
to  be  configured  tc  accommodate  the  security  requirements 
than  fer  lead  distribution. 

7.  There  will  probably  be  a  delay  in  packet  delivery 
time  due  to  the  bridges.  The  amount  of  delay  will  depend  on 
the  pewez  of  the  bridges,  the  load  on  the  various  subnet¬ 
works,  and  the  number  of  subnetworks  a  packet  must  travel 
through.  The  need  for  a  bridge  to  fully  buffer  a  packet 
before  retransmissios  alone  introduces  a  considerable  delay 
compared  tc  the  single-network  LAN  delays.  The  choice  of  a 
datagram  CSNA/CD  service  for  the  LAN  protocol  makes  the  low 
layer  prctccols  immure  to  delay,  but  higher  layer  protocols, 
such  as  TCP,  which  provide  acknowledgements  and  may  have 
timeouts  tuned  to  typical  LAN  delays,  might  have  problems 
adjusting  their  delays  depending  on  the  locality  of  the 
destination . 


8.  The  authors  icdified  the  standard  source  and  desti¬ 
nation  address  fields  of  CSMA/CD  to  contain  a  subnetwork 
address  alcng  with  each  TIU  address.  This  hierarchical 
structure  cf  the  address  is  irrelevant  to  the  address- 
recognition  hardware  in  the  TIU,  however  the  structure  dees 
zestrict  the  possible  destination  addresses  a  TIU  may  have. 
In  other  words,  all  TIUs  on  a  single  subnetwork  must  contain 
addresses  whose  subnetwork  number  has  a  specific  value,  or 
falls  within  a  specific  range,  and  these  ranges  must  be 
unique  fer  each  subnetwork  cn  the  LAN.  The  hierarchical 
address  is  no  particular  problem  if  a  portion  of  the 
address-recognition  mechanism  in  the  TIUs  can  be 
"programmed"  on-site  for  the  particular  subnetwork  number, 
but  tbe  management  of  subnetwork  numbers  requires  additional 
configuration  control  that  is  not  required  in  other  LANs. 
Cnly  the  subnetwork  portion  of  the  address  should  be 
configurable  on-site  in  the  TIUs,  otherwise  one  would  have 
to  "configuration  manage"  the  address  of  every  TIU  on  the 
IAN. 

The  manner  in  which  the  addresses  are  determined  could 
be  another  disadvantage.  Manufacturers  "burn-in"  destina¬ 
tion  addresses  at  the  factory  such  that  no  two  devices  will 
ever  have  the  same  address  (similar  to  the  embossing  of 
serial  numbers  on  products)  .  This  technique  minimizes  the 
cost  cf  hardware  in  each  interface  unit  necessary  to  pregram 
the  address  on-site ,  and  eliminates  the  possibility  of 
duplication  among  tbe  thousands  of  interface  units  tc  be 
manufactcred.  However,  this  technique  does  prevent  users 
from  selecting  specific  addresses  they  may  want. 

Anctber  method  fer  determining  addresses  would  be  tc  add 
an  additional  software  layer  which  would  provide  a  selection 
for  addresses  for  users  but  could  possibly  be  more  ccstly 
than  the  "burn-in"  method. 


I 


An  alternative  tc  the  hierarchical  address  structure  is 
to  use  the  standard  address  of  CSHA/CD,  but  to  have  large 
tables  in  the  bridges  to  identify  the  subnetwork  of  each 
destination  TIU  on  the  LAN.  This  would  require  continuous 
configuration  management  of  these  tables  if  new  subscribers 
are  added  fairly  frequently  to  the  LAN. 

9.  Throughout  this  design  concept  the  authors  have 
assuaed  that  suitable  encryption  devices  are  available  that 
can  handle  both  the  LAN  medium  itself  for  those  pcrticns  of 
the  subnetwork  that  are  classified  but  must  pass  through 
unprotected  areas,  and  the  lines  between  the  subscribers  and 
their  TIDs  for  those  subscribers  remote  from  their  subnet¬ 
work.  Encryption  fcr  the  latter  is  completely  straightfor¬ 
ward,  as  the  TIU-sutscriber  lines  will  involve  relatively 
low  speeds  and  protocols  fcr  which  encryption  is  commonly 
applied  today.  The  authors  based  their  secure  LAN  on  a 
coaxial  cable  with  broadband  signals,  implying  that  the 
cable  would  have  to  terminate  at  the  crypto  units,  where  the 
signals  wculd  be  demodulated,  converted  to  digital  and 
encrypted.  The  encrypted  bit  stream  could  be  transmitted 
using  any  desired  communications  medium  while  in  the  unpro¬ 
tected  area,  until  reaching  the  other  end  at  which  the  tit 
stream  is  decrypted  and  remodulated  onto  another  coaxial 
cable . 

Two  disadvantages  are  apparent  here.  First,  there  is  a 
noticeable  delay  involved  in  encryption  and  decryption  of 
data  and  this  delay  would  probably  be  noticeable  tc  the 
CSHA/CD  protocol .  This  type  of  delay  is  relevant  to  the 
CSHA/CE  protocol  because  it  is  a  delay  in  a  Tills*  reading  of 
its  cwn  transmission  used  to  detect  a  collision.  The  major 
impact  of  a  small  delay  is  cn  performance,  but  a  large  delay 
could  affect  security  due  to  assumptions  that  were  made  in 
the  TIU  design  about  the  way  the  CSHA/CD  protocol  detects 
ccllisicns. 


The  second  disadvantage  occurs  when  there  is  information 
other  than  LAN  data  cn  the  medium.  An  example  of  this  is 
when  LAN  data  and  television  signals  are  used  on  the  same 
broadband  cable.  Tc  encrypt  just  the  LAN  data  vithcut 
destroying  the  TV  signals  (assuming  these  are  unclassified), 
trusted  repeaters  wculd  have  to  be  used  to  capture  and 
rebrcadcast  specific  unclassified  TV  channels  only. 

To  deal  with  the  problem  of  interaction  between  the 
delay  and  protocols,  a  given  subnetwork  must  be  entirely 
protected  and  encryption  would  only  occur  between  the  half¬ 
bridges  between  the  subnetworks.  In  other  words,  limit 
encryption  to  the  bridges  only,  or  better  yet,  incorporate 
end-tc-  end  encrypticr. 

10.  Another  disadvantage  is  the  case  of  a  low  level 
user  submitting  queries  to  a  database  in  a  high  level  host. 
The  response  from  the  host  would  have  to  be  filtered  through 
a  guard  fcr  downgrading.  If  the  downgrading  were  reliable 
then  there  is  no  problem  in  allowing  the  query  itself  to  go 
directly  free  the  user  to  the  host.  The  real  problem  is 
that  the  high  layer  TCP  cannot  work  in  a  one-way  fashion.  A 
TCP  acknowledgement  frea  a  high  to  low  security  level  cannot 
be  permitted  in  this  design  concept  because  security  is 
enforced  in  the  low  layer  protocols.  Establishing  a  connec¬ 
tion,  even  if  one-way,  requires  two-way  communications.  A 
nethod  of  dealing  with  this  disadvantage  would  again  be  to 
design  a  EBBS  that  wculd  handle  data  labelling. 

11.  Another  example  related  to  one-way  communications 
is  the  problem  dealing  with  LANs  that  use  control  packets  on 
the  network  for  administrative  and  maintenance  functions. 
For  example,  TIOs  might  send  periodic  control  packets  to 
some  central  destination  in  order  to  monitor  the  status  of 
all  TIOs;  cr  there  sight  be  a  requirement  for  a  maintenance 
procedure  that  requires  interrogating  all  TIOs  to  see  if 
they  are  responding.  Also,  accounting  information  or 
statistics  gathering  may  be  required. 


IV 


i 


.lyi.lViil‘i‘1 


fCcsAirtV. 


Tbe  authors  have  sot  allowed  for  any  special  type  of 
control  packet  for  which  security  restrictions  do  net  apply. 
These  ad sinistra tive  interactions  will  sore  than  likely  be 
required,  and  it  may  he  possible  to  implement  these  interac¬ 
tions  within  the  operational  security  constraints. 
Consideration  should  be  given  to  building  a  special-purpose 
TIU  fer  laintenance  purposes  that  can  read  packets'  of  all 
levels  while  it  sends  unclassified  packets  that  can  be  read 
by  any  destination. 

12.  The  last  major  potential  disadvantage  lies  in  the 
authors'  choice  cf  tbe  protocols  TCP  and  IP.  TCP  and  IP  are 
not  commercial  standards.  To  the  extent  that  there  is  move¬ 
ment  toward  a  commercial  standard,  the  CCITT  X.25  interna¬ 
tional  standard  is  favored.  x.25  is  a  network  interface 
protocol.  It  is  designed  to  interface  between  a  host  and 
its  local  packet  switch.  Once  packets  reach  a  local  switch, 
it  is  supposed  to  translate  requests  for  service  into 
another  switch-to-switch  protocol  (e.g.,  X.75)  for  transport 
to  a  remote  switch  which  will  reconvert  it  into  x.25  again. 
X.25  does  net  provide  for  end-to-end  reliability.  in  fact, 
the  stancard  explicitly  specifies  several  situations  where  a 
switch  will  close  a  connection  when  an  error  is  detected, 
furthermore,  there  are  no  mechanisms  for  demultiplexing  or 
security.  The  design  is  such  that  a  higher  level  transport 
layer  protocol  must  provide  these  functions. 

The  Eurcpean  Computer  Manufacturers  Association  (EC HA) 
and  the  Rational  Bureau  of ‘standards  have  submitted  a  series 
cf  transport  layer  protocols  with  different  classes  of  capa¬ 
bility  [Bef.  21]  as  potential  international  standards.  The 
Class  4  protocol  in  combination  with  X.25  provides  most  of 
the  capabilities  of  TCP/IP.  It  is  expected  that  2-4  years 
cf  experience  will  be  needed  before  these  emerging  standards 
will  reach  a  state  cf  maturity.  Mote  that  TCP/IP  went 
through  four  different  versions  and  several  large 


Therefore,  X.25  and  the  ECNA  Class  4  together  light  be 
considered  viable  alternatives  to  TCP/IP,  but  x.25  alone 
cannct.  Since  the  ICMA  transport  protocols  have  only  been 
recently  oade  available  or  subject  to  extensive  testing, 
then  TCP/IE  is  prcbably  the  best  product  currently 
available. 

There  is  one  other  protccol  alternative  worth  aenticning 
and  that  is  Delta  T  [Bef.  22].  D6lta  T  is  an  end-to-end 
tiaer-based  transport  protocol  developed  at  Lawrence 
Liveracre  Laboratories.  It  provides  most  of  the  capabili¬ 
ties  of  TCP/IP  class  of  functions. 

It  is  felt  that  TCP  and  IP  should  be  used  in  the  near- 
tera,  however,  this  position  should  be  reevaluated  as  the 
Federal  and  International  standards  aature. 

C.  FOBTBEB  RECOM  EN  CATIONS 

In  addition  to  the  various  alternatives  and  reccmmenda- 
tions  that  have  already  been  Bade  throughout  this  thesis, 
the  following  alternative  approaches  should  also  be  examined 
for  use  in  the  secure  LAN  design. 

1.  Physically  separate  LANs  can  be  employed  using 
existing  commercially  available  LAN  hardware,  and  therefore 
has  liniaal  implementation  risk.  It  differs  from  the 
authors*  secure  LAN  architecture  in  that  it  does  not  use 
trusted  interface  units  to  separate  traffic  in  each  LAN,  but 
assumes  that  such  traffic  is  all  of  the  same  level.  There 
is  a  problem  here,  in  that,  without  trusted  interface  unit 
protecticn,  subscribers  are  left  with  little  choice  but  to 
physically  protect  all  computers  and  terminals  to  the  level 
of  the  LAN  to  which  they  connect.  It  also  would  not  allow 
for  easy  implementation  of  the  variable- level  terminal 
concept  cr  support  fer  multilevel  hosts. 


2.  The  option  cf  using  different  channels  or  time- 
division  multiplexing  to  segregate  security  levels  on  a 
single  cable  should  be  examined  for  near-term  use.  There  is 
the  obvious  adavantage  over  the  multiple  cable  approach 
above,  as  well  as  the  opportunity  to  use  commercially- 
available  hardware.  However,  the  number  of  potential  chan¬ 
nels  is  still  rather  limited,  the  architecture  is 
insensitive  to  relative  traffic  load,  and  trusted  software 
is  still  required  tc  allow  resource-sharing  among  levels. 

3.  Some  DoD- sponsored  research  is  being  done  in  the 
area  cf  end-to-end  encryption  (encrypting  a  LAN  medium)  , 
permitting  a  single  cable  to  pass  through  all  wis-supported 
areas  of  a  building  xegardless  of  physical  protection.  The 
encrypticn  would  protect  resident  data  against  wiretapping 
by  unauthorized  TIUs,  and  access  control  would  be  accom¬ 
plished  through  key  distribution.  This  method  would  require 
encrypticn  modules  within  each  TIU,  and  host  ius  which  have 
open  logical  connections  tc  more  than  one  user  would  be 
reguired  tc  have  more  complicated  encryption  devices. 

0.  CCNCIOSIOH 

This  thesis  has  presented  and  examined  the  results  of  an 
initial  design-level  study  to  incorporate  multilevel 
security  into  lccal  area  networks  for  upgrading  the  ADP 
support  to  the  HHHCCS  Information  System.  The  study  focused 
cn  objectives  that  would  be  achievable  in  the  1985  time 
frame  and  therefore  make  maximum  use  of  off-the-shelf  tech¬ 
nology.  The  design  is  oriented  to  minimizing  the  near-term 
risks  for  an  initial  MIS  scenario  while  laying  a  foundation 
for  the  "maximum"  long-term  capability  for  HIS. 

The  reader  should  be  aware  that  many  of  the  ideas 
covered  in  this  design  concept  are  still  the  subject  of 
basic  research,  and  before  they  can  be  put  into  practice, 
they  need  a  more  rigcrcus  examination. 


LIST  Of  BEPEBESCES 


lilfiSiH fcM i  ?IS.  MSi5o£Ilif *3  ffift* 

19E2,  prepared  by  The  Assistant  Secretary  or  Defense 
(Communications.  Coaaand,  Control  and  Intelligence) 
with  the  assistance  of  the  WNMCCS  System  Engineer, 
Defense  Communications  Agency. 


Gasser,  M.  and  Sidhu,  D.P., 

lSSiila.lSf?1«Si§S 


A  Multilevel 
Corporation? 


Processing 
ange"?,  "29 


1  Contact  iAN  System  Coase£ts  £i£eyr 

Clark.  D.D. ,  Pogran,  K.T. .  and  Reed,  D.P.,  "An 
Introduction  to  Local  Area  Networks,"  Proc.  IEEE.  Vol. 
66,  No.  11,  November  1978. 


Bacldauf,  D. L..  ACCA1  Guard  overview.  MTR-3861,  The 
MITRE  Corporation,  Bedford,  HlTaovember  1979. 

Stahl,  S.H.,  Hathaway,  A.,  LSI  Guayd  System 
Specilicat 4£1  (Type  A)  ,  MTR-8  0W00T19,  Tie  HlTHl 
corporlTIonT  Mclian,  VI,  December  1980. 

AI.S2  fiSiySljS  SSSiiliilf  TB-ID-8513/200/01.  Draft, 
s ^|te a Development  corporation,  McLean,  VA,  4  August 


ISI8S.11iiS?SSbJEIS4f4lS54SB' 

Metcalfe,  B.  M. ,  Boggs,  D.R.,  "Ethernet:  Distributed 

sot"orlts"'  £2«- 

i§§&  S difSSSf^loiflS^^obSr  4SSS?8  swaa' 

Cerf,  V.G.,  Kirstein,  P.T. ,  "Issues  in  Packet  Network 
Interconnection",  £rcc.  IEEE.  Vol.  66,  No.  11, 
November  1978.  **** 


78 


I, 


Surshine,  C.A. ,  "Interconnection  of  Computer 
Networks",  Computer  Networks.  Vol.  1,  1977. 

International  Organization  for  Standards,  "Data 
Processing— Open  Interconnection-Basic  Reference 
Model",  ISO/TC97/SC1 6,  Computer  Networks .  Vol.  5, 
1 9  £  1 . 


ember  I960. 


Postel,  J.  fed.)  ,  D£D  standard  Transmission  Protocol. 
Defense  Advanced  Research  Project  sAgency,  T9BTT” 

Postel,  J.  (ed.).  Dot  Standard  Internet  Protocol. 
Defense  Advanced  Research  Projects  Agency,  19BTT” 

Cerf,  V.G. ,  "DARPA  Activities  in  Packet  Network 
Interconnection"  in  Interlinking  of  Computer  Networ ks. 
1979. 

AEF  security  Accreditation  Planning  Model.  DC A 
iTJo-79-C-O  036 .  Int  erna€ional Business  Machines 

Corporation,  Arlington,  VA,  November  1981. 

Iampscn,  B. ,  "A  Note  on  the  Confinement  Problem", 
Sfilfl-  ACM.  Vol.  16,  No.  10,  October  1973. 

Burrus,  J.,  jiecjfisalisn  llM sport  £iotccci. 

National  Bureau  Of  Standards,  February  1987. 


Satscn,  R. ,  Dj jtazl  3£e$i|i£a iififi »  la 

Livermore  Laboratory,  Oi  October  1981 . 


w re nee 


a 


INITIAL  01 STBIBOTION  LIST 


No.  Copies 


1. 

2. 

3. 


Defense  Technical  Information  Center 
Cameron  station  f  „„„„ 
Alexandria ,  Virginia  22314 

Library,  Code.0142  , 

Naval  postgraduate  School 
Monterey,  California  93943 

LI  Debra  A.  Straub,  USN 
N AVCCMMSTA,  EOX  22  „ 

FEO  Nee  York  09571 


4. 


Prof.  Norman  H.  lygns,  Code  54Lb 
Department  of  Aannistr  ative  Sciences 
Naval  postgraduate  School 
Monterey,  California  93943 


2 


2 


1 


1 


